Security Behavior Change

To Improve Employee Security Readiness, You Must First Measure It. Here’s How

Masha Sedova

Published on 1 November 2018

You’re tasked with building your company’s security awareness training. Where do you begin? Most people jump right into creating training content, but is this actually the right approach?

Consider this: How will you know what to train on and what exactly you want to drive awareness around? The answer is with metrics. And this is where all security awareness programs should begin. You won’t know what to focus on if you’re not first measuring where your gaps in security awareness lie. And as training progresses, how can you effectively benchmark improvements if you never started with a baseline? This is something I learned and implemented in my days working at Salesforce and that we now help companies address every day here at Elevate Security.

In this post, I’m going to show you how to create a metrics first program to improve your entire security awareness training program and make you look good in the process.

Reversing a Backwards Process

Traditionally, the security industry has given up on any meaningful attempts to measure the impact of a program on security behaviors. That’s because there are so many outside influences that can affect an employee’s behaviors, including new technical controls or the news. How can you know if it’s training that’s moving the needle, or these factors?

Another reason is people metrics are…well…hard. Unlike applying a patch to a machine, which is a pretty straightforward task with a guaranteed outcome, humans are a bit more difficult. They can forget information or choose not to apply the things they’ve learned to a situation. In that sense, can you effectively measure the success of a program if people forget the information in six months? One year? Three years? It can be tricky to know…so most just don’t bother.

Plus, models like the SANS Security Maturity Model teach us that measurement comes last, so we’ve been trained to treat it as an afterthought.

Security awareness maturity model

The good news is, as IT and security systems become more sophisticated, we can better integrate them, as well as better integrate humans with technology, to avoid most of these challenges.

Why Measure Security?

The simple answer is: for the same reasons we measure anything else! We measure to know if security training is effective and to show us the impact of employees’ security decisions (both good and bad). Measurement also helps us communicate progress to others.

What if metrics could show you who your best-performing employees, the ones making the best security decisions, are? And what if it could pinpoint those who are underperforming and need more support? How about if it could tell you what skills your company as a whole excels at…and lacks? And what if you could break down by team what strengths and weaknesses they have?

Performers vs stragglers charts

Would this help inform your training so you could tailor it to what your employees need most? Absolutely! Could this help you develop department-specific training? Definitely. Could it help you cut down on training that your team doesn’t actually need, allowing you to zero in on the right training resources instead? 100%. This is arguably the biggest reason to measure first.

As an example of a critical insight I’ve measured at Salesforce and seen across industries is that tenure at a company is one of the key indicators of how security smart an employee is. The newer an employee is, the more likely they are to fall for a phish, forget to report, or download malware. Using this insight, it only makes sense to double down on a new hire program to get the most impactful risk reduction for your organization!

If you can know ahead of time what security skills your employees already have and what they don’t, you can develop a training program based on that. No need to bore or numb them with information they’ve already heard dozens of times, and perhaps even hurt your credibility along the way. Instead, you can respect their intelligence and time by giving them a training experience that’s truly useful and informative.

There is data that can tell you all of this, it’s simply a matter of knowing where to get it.

Know Where You’re Going Before You Start Walking in That Direction

To start this process, begin by interviewing key stakeholders to find out what metrics matter most to them. Perhaps for one team, it’s the reporting of phishing emails. For another, it’s strong password use. And for another, it’s safe WiFi and remote working policy adherence. The outcome of this will likely be a set of qualitative and quantitative metrics.

From there, it can be useful to gather a baseline measurement to understand where exactly things lie today. How many people today report phishing attacks? How many use strong passwords, a password management tool, and don’t reuse passwords across company accounts? How many remote workers connect to public WiFi? You can use these measurements as a benchmark to determine if overtime your program has helped to influence these security behaviors.

Using a system that can integrate with all of these data sources and then correlate and help you make sense of it is ideal. More on that in a bit…

Using all of this information, you can create a truly effective program to influence specific security behaviors. This will help you zero in on the topics employees need the most training around as well as avoid unnecessary time and expense spent on areas that don’t matter as much.

An insight we’ve observed using the method was that developers have just as bad of security hygiene when it comes to phishing as the marketing team, so we were able to also address that through specific training.