Security Awareness Program Owners know that proving ROI to the big wigs is no easy feat. While you do a lot to keep your cybersecurity awareness training program operating like a well-oiled machine, sometimes your hard work is under-appreciated.
When it comes to tracking, there are a few core metrics that your CISO and executive management want to see to help you get that training budget buy-in you so desperately need.
- Security training module completion: Where are employees hitting a snag in the lesson plan and falling off the training - can a certain point be identified?
- Awareness training quiz/test results: How well are employees scoring on quizzes? Are there specific questions rather than overall topics, such as those that require critical thinking, that employees are missing
- Phishing campaigns/clicks: Who fell for the phish by clicking an infected link when running an employee phishing campaign?
- The performance of high-risk individuals: How are you measuring the performance of certain departments and individuals that fall into more high-risk roles?
- Engagement activities outside of training: Are you measuring how engaged employees are outside of required security and awareness training campaigns?
- An “overall security score” or risk rating: How do you quantify all the metrics collectively?
1. Security training module completion.
We bet you’re a little tired of the buzzword compliance, but it’s something pushed over and over again with most organizations for critical reasons. Compliance in particular matters to your C-Suite, and therefore, is something you must focus heavily on within your cybersecurity awareness training campaign.
If you’re putting your employees through a cybersecurity training program with set modules (specific clustered video lessons, quizzes, etc.), then it’s important to assign time to their overall module completion rate.
Are your employees hitting a snag at a certain point in the lesson plan and falling off the training? Don’t be afraid to detail and categorize your video “watch” metrics apart from other course completion milestones to take a hard look at where people are stopping.
Depending on what types of compliance your company needs to meet, it’s up to you to closely monitor how you are meeting standards and milestones outlined by the security protocol’s governing body. While you can’t expect your employees to know all the fine details of this, it’s important that teams know their role in helping to meet compliance.
2. Awareness training quiz/test results.
If between lesson plans you have employees taking short quizzes or end-of-module tests, take some time to see how well they’re scoring. It’s important to look beyond the standard “pass” or “fail” criteria and see how teams are truly doing. This is where you’ll see if teams or individuals need additional support, by topic.
You can even take it a step further and silo down by specific answers in order to critically think about where you can reinforce more education. For instance, if teams are passing cut-and-dry questions, but struggling when it comes to critical thinking queries— like scoring high on “True for False” questions, but getting “What is the best way to handle this scenario” questions wrong— you may want to investigate. Perhaps your training modules need to take the lessons beyond theory and make them more relatable to real-life situations.
3. Phishing campaigns/clicks.
Ahh, the trusted phishing campaign. Some security programs treat these tests as the be-alls and end-alls of cybersecurity training. Phishing tests can no doubt be valuable, but they’re not the Holy Grail or the only cybersecurity training metrics to track. Instead, they’re just one piece of the puzzle that should be combined with the other metrics accompanied in this article— as well as human risk management.
Of course, if you run a phishing campaign to see how employees react to simulated phishing attacks, you’ll want to note who fell for the phish by clicking an infected link. If the company you work with can get you the estimated dollar amount a mistake like this could cost your business, you can take that figure to upper management to justify a larger cybersecurity training budget.
Check out our webinar on Why Your Phishing Campaign Isn’t Working to make some major improvements today.
4. The performance of high risk individuals.
Certain departments and individuals on those teams fall into more high risk roles than others. For example, your Finance department is more likely to be targeted in a phishing campaign, since they have access to private information and money! Your C-suite themselves may think they’re impervious to cyber attacks, but because of their high privilege and position, they’re also routine targets for scammers.
It’s up to you to dig into some statistics and trust your gut to know who within your company should be considered a greater risk. After determining which members of your organization need to be monitored more closely, it’s crucial to keep your focus on them a little more so than others.
5. Engagement activities outside of training.
Getting people engaged can be one of the toughest hurdles in a security awareness campaign. Don't forget to monitor where people are engaging so you can measure the effectiveness of your outreach efforts. Some Security Awareness Program Owners think outside the box to track things like prizes given out during training, questions asked outside of training, who shows up to lunch-and-learn, website traffic, awareness video sharing or downloads, comments or responses to instant messenger notifications and more.
We encourage you to get creative to really show the investment you’re making in your initiative and employees— from a time, resources, and care perspective— beyond the conventional.
6. An “overall security score” or risk rating.
How do you quantify all the metrics we’ve discussed, collectively? Trust us, we know that can be a big undertaking and, oftentimes, an ambiguous one at that!
That’s why our team at Living Security designed a comprehensive “Risk Rating” inside our cybersecurity training platform. Much like a credit score, our Risk Rating categorizes your company’s overall risk by low, medium, or high— on a spectrum— to give you a snapshot of how your org stacks up holistically.
Our individualized “Security Score Breakdown by Category” is a popular feature too, showing you the different areas where your departments are struggling. It’s a core indicator of where you could better support your teams— by providing additional resources or training on areas they’re falling short like data security or privacy.
We can even help you pinpoint your high risk employees or specific departments or roles that are in need of more help during training. You might notice your Accounting team is excelling more than HR or that for some reason your Sales Director isn’t completing training while your Financial Analyst is crushing it.
You Focus on the Metrics, We’ll Focus on Campaign Promotion
As a Security Awareness Program Owner, you know a large portion of your role is proving the ROI of your cybersecurity initiative. It can be difficult to crunch numbers all while trying to creatively craft your program’s core messaging and educational materials.
Let us take care of the details of your internal program promotion while you worry about meeting your KPIs.
In our Campaign in a Box package, you’ll receive instant messages, emails, and other pieces of content organized in monthly security campaigns. Worry less about how to get your team engaged in your initiatives with resources from Living Security. Request more information about our support packages, today.