5 Metrics to Help Measure the Success of Security Awareness Programs

Dive into effective security culture measurement with insights from Erich Kron, security awareness advocate at KnowBe4. Discover key metrics and strategies for improvement.

Security pros report that human error is the biggest security threat to businesses, and yet studiesOpens a new window show that human risk factors remain out of control from most cybersecurity professionals. Phishing, poor credential hygiene, and unpatched vulnerabilities are the biggest culprits behind most security compromises. The only way organizations can keep human risk factors under control is by improving security awareness, boosting security behavior, and fostering a culture of cybersecurity. 

Unfortunately, one of the biggest mistakes organizations can make is embarking on culture change programs without establishing the right metrics for tracking results. As a result, people get confused, businesses lose sight of their goals and culture change programs fail.

Changing employee behavior and culture needs a repetitive process that involves analyzing the gaps between the “current” state and the ultimate “vision”. Below are five metrics that organizations can leverage to track and measure the state of security awareness and culture:

1. Security Culture Dimensions

Security culture can be measured across seven dimensions. These include: attitudes (how employees feel about the security programs, protocols, and processes); behaviors (typical employee actions that impact the security of the program); cognition (employee understanding and perception of the security program); communication (how effectively security programs are communicated); compliance (how compliant are employees with existing security programs and policies); norms (unspoken rules or behaviors that are practiced by employees that impact security); and finally, responsibility (helping employees understand their critical role in contributing to security within the organization).

Organizations can use culture assessments (like the security culture maturity model) to map and measure their cybersecurity culture performance across these seven dimensions. In addition, organizations can benchmark culture based on parametersOpens a new window such as security awareness (how aware are employees of security risks), policy adherence (how well do employees follow cybersecurity policies), risk management (how effective is the organization at identifying, assessing, and managing cyber risks), incident response (how effective is the organization’s response to cybersecurity incidents) and leadership involvement (how involved and engaged are leaders in cybersecurity programs). 

See More: Combatting LotL Attacks With Proactive Cyber Resilience 

 2. Phish-prone Percentage (PPP)

One of the most important metrics that helps gauge how susceptible an organization is towards phishing attacks is the phish-prone percentage. This metric helps organizations measure the degree to which people fall for phishing and social engineering scams and whether their behavior improves or worsens. PPP is also helpful for measuring whether phishing training is working well or not. To measure the phish-prone percentage, organizations must conduct a simulated phishing test to understand the current open and click-through rates of phishing emails. Next, they must get employees to undergo security training, which includes presentations, videos, interactive content, and gaming. Once training is complete, the phishing proneness of employees should be tested again by subjecting them to real-world phishing simulations. These actions must be repeated repeatedly, and the phish-prone percentage must be measured over time to gauge the effectiveness of training. StudiesOpens a new window prove that if organizations run phishing simulation exercises and security awareness programs regularly, they will see the phish-prone percentage diminish over time. 

3. Behavioral Metrics

Behavioral metrics are those metrics that can be captured from employee behavior. For instance, how employees interact with a more targeted phishing email vs. a simulation that is more generic in nature. Departments, job categories, employee profiles, and skill sets can also track behavioral metrics. Security teams can also monitor how employees interact or behave in certain situations. For example, security teams can measure employee phishing susceptibility based on the employee’s usage of certain types of devices, office locations, and regional or cultural background, after announcing a reward or conducting a gamification exercise. Security teams can also gather data and evidence of employee behaviors and usage patterns from cybersecurity tools like data leakage prevention (DLP), user entity and behavior analytics solutions, and multi-factor authentication (MFA).

4. Organizational Metrics

How frequently is the program being communicated? How frequently are security training sessions being held? What is the level of attendance at security training? Are security sessions tailored to the audience? Are incident response procedures practiced regularly? Are rewards, contests or incentives around security announced regularly? Are employees being honored at company meetings for their positive security behavior? How frequently do employees approach security teams with concerns or new training requirements? Are there frequent discussions of cybersecurity in executive meetings? Are security goals and milestones tracked, reported and shared with employees and stakeholders regularly? Organizations must analyze such metrics and run before and after tests to understand the impact these things have on the culture and the engagement level of employees.

5. Metrics From Surveys And Focus Groups

Surveys are a great way to capture employee feedback about the security program, initiatives, and functions. They are also perfect for gathering evidence for progress and change. Sometimes, organizations refrain from conducting surveys for fear of projecting a negative result. But even during times of poor performance or uncertainty, it’s a good idea to collect feedback because the team can use that as a baseline to measure improvement and then report it back to employees (which in-turn motivates them to do better). Like surveys, focus groups are another way to measure security success and get one-to-one feedback on security initiatives. Once feedback is captured and improvements (based on survey results) are implemented, it is important to survey your target audience again to understand the impact. Repeat this process again and again to measure, fine-tune and consistently improve your program.  

To summarize, avoid jumping directly into a security awareness program without first benchmarking its current state. Without understanding where you are, you won’t know where you’re going or what you will need to improve. Start by defining the end goal as well as the key performance indicators (KPIs). Next, measure the current state of those KPIs using the above metrics. Once a baseline is established, you can conjure creative ideas to improve those numbers. Keep measuring and fine-tuning; never lose sight of your KPIs and goals: that’s the only way to keep your security awareness program growing and flourishing. 

What best practices companies should follow to improve security culture? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON SECURITY CULTURE

• 3 Steps for Creating a Strong Security Culture in the Workplace 
• How to Implement a Cybersecurity-First Culture 
• Cybersecurity Learning: Building a Culture of Cyber Awareness