This last March, I gave a workshop at BSidesSF, the popular InfoSec conference before RSA Conference in San Francisco. Although the official topic was “Using the Secrets of Behavioral Science to Influence Security,” I talked in part about how to measure the changes security teams can see when they leverage behavioral science to influence employees’ security behaviors.
I told the packed auditorium, “Inability to measure effectiveness of security awareness training usually leads to those programs being deprioritized.” Now. The amount of head nodding. The hum of attendees murmuring agreement. It shouldn’t surprise me anymore, but it still does, the emphatic reaction I get when I talk to security awareness teams – CISOs and practitioners alike – about how to measure security awareness training.
For too long, we’ve accepted training completion as a sufficient metric. Which, sure, it’s still needed for compliance in a lot of cases. But is the training you’re doing actually reducing security risk for your organization? That remains a black box for too many teams. Awareness practitioners and CISOs often complain to me that they don’t have any other metrics besides training completion and maybe mock phishing data. I beg to differ: security teams are in a better position to measure employee security behavior change than they realize.
Security teams are in a better position to measure employee security behavior change than they realize.
What my co-founder Robert and I have discovered at Elevate (and before that at our time at Salesforce) is that security teams have installed tons of security tooling that can give insights into how our employees are behaving on the network. But we just leave this data on the cutting room floor.
For example, most enterprises have an endpoint solution that prevents malware from being run on a machine. Known malware execution attempts are blocked, logged, and the security team moves on. But wait! That’s pure security behavior change gold! Wouldn’t it be great to see who was running that malware, and how many times it happens? With this data you’ll know which employees need more malware training and who is good to go. Further, this will let you know where you malware hotspots for the future just in case that endpoint solution of yours doesn’t catch everything. Defense in depth – now with more people security!
That’s why we’re launching a new guide, Fantastic Metrics and Where to Find Them, based on what we’ve learned deploying the Elevate Platform with customers like Autodesk. It’s all about how to demystify the business-critical impact we know security training can, and should, have, starting with some fantastic metrics, and, yup, knowing where to find them.
In this guide, we’ll show you how to leverage metrics to build a successful security
behavior change program, including:
- What metrics to use for goals to measure how and when your employees’ security behavior improve
- The systems and software your company may use where you can source those metrics
- How to verify or test the data from those sources
Get your copy of Fantastic Metrics and Where to Find Them , and let us know what you think!