Investment into changing security culture and behavior via security awareness and training (SA&T), if done correctly, has the ability to transform your security team’s function and reach. We need to invest in these people-related initiatives to harden the ever-important human firewall. But there’s also more to this story: Changing the culture around security has the power to uplift the security conversation, in turn giving you much-needed visibility and support as a security function. None of these are particularly tangible things to measure.

People-Related Security Investment Is Still Seen As Fluffy And Soft

Historically, investments into SA&T have been halfhearted and usually low on the laundry list of security initiatives to receive funding. Plus, it’s debatable as to how well they work: Our data suggests that only 26% of workers know what to do in the event of a breach. It also shows that 7% openly acknowledge that they ignore or go around security policy. This means either we are not investing enough in training employees or that whatever it is that we are investing in is not working.

Time and time again, I hear something along the lines of “Why should I invest in awareness?” or “Prove to me that it works.” Fair question/request, but they are also a sad reflection that, within security, people-related initiatives are still seen to have fewer tangible benefits than technical initiatives. They are perceived as “soft” and “fluffy” areas of security. But as my most recent report written with Claire O’Malley, “The Business Case For Security Awareness And Training,” shows, this could not be further from our reality.

Key Tips For Measuring The Benefits Of Awareness

SA&T works, and we need to demonstrate its effectiveness. We need to define what “works” means — that is, are SA&T initiatives successful in changing desired behaviors? In our report, we show security teams and leaders how they should measure the success of their SA&T programs. We share how they can employ techniques such as surveys to understand employee triggers and behaviors. You can read the full report, but I wanted to share some tips from the report to help you understand how to justify your existing SA&T programs:

  • Move away from only measuring completion rates and Net Promoter Score* to judge your investment. These are important metrics, but by no means do they give you a clear picture of how effective the behavior change is. You need to work harder at that part.
  • Gather feedback from IT, and collect alternative metrics relating to behavior change. Check to see if employees are submitting fewer help desk tickets or how many incidents they’re reporting. These measurements show how much knowledge your workforce has retained and how it’s translating that knowledge into action.
  • Survey your workforce to measure motivation, ability, and triggers. Oftentimes, the best way to find out if something is working is to actually ask. This will allow you to quantify the strengths and weaknesses of an existing or potential SA&T program and gain insight into the current state of security culture. Collect results on an annual basis — they’ll show progress and provide guidance for any necessary program adjustments.

If done correctly, your SA&T solutions will have significant reach. Work with all your constituents to identify whether that reach is effective. Check with them to determine if it is creating the behavior and culture change that you need it to.

(I’d like to note my thanks to my research associate, Seles Sebastin, for coauthoring this blog with me.)


* Net Promoter and NPS are registered service marks, and Net Promoter Score is a service mark, of Bain & Company, Inc., Satmetrix Systems, Inc., and Fred Reichheld.