Regardless of industry or location, nearly half of all executives surveyed in a recent MetricStream report noted that cybersecurity was their top business risk.  At the same time, a look at the top passwords in use, which all involve a series of sequential numbers or keystrokes — showcases just how significant the divide is between principle and practice. Unfortunately, lax and insecure passwords are often the tip of the iceberg to understand the role and importance of cybersecurity awareness training. This program should enforce good password hygiene and provide and encourage safe browsing, email, mobile, and other security best practices.  So whether your organization is just beginning to establish its cybersecurity awareness program or if you’re looking to take it to the next level, here are some key things your training may be missing.

Measuring the impact of a cybersecurity awareness program

According to the most recent Verizon Data Breach Investigations Report, about 22 percent of security incidents in 2021 can be traced back to human error from employees inside of an organization. This number has stayed roughly the same since 2018. Unfortunately, trends from most of this same period showed that organizational budgets for security awareness training were actually steadily increasing, growing from about $137 per employee in 2018 to $203, according to Mimecast. So how can the number of human-enabled attacks stay the same even as spending for security awareness training continues to increase? One answer could be that organizations could just decide to spend more even if they are not getting the proverbial awareness bang for their security buck. As with many other aspects of evaluating the return on investment of a strong cybersecurity program, evaluating the role and benefits of cybersecurity awareness can be difficult. While some organizations attempt to measure the number of threats blocked by existing security controls, phishing messages are scanned and deleted. The open rate of phishing-awareness campaigns in today’s high-risk environments — matched by high scrutiny of security budgets — isn’t enough.  This challenge is one that Infosec’s Jordan Filip, Client Success team Lead, and Kevin Angeley, Senior Sales Engineer, have been working hard to help organizations overcome, which the two discussed in a recent Infosec Inspire Session. “We’ve realized that what customers need and should expect from their security awareness training program is the same level of enterprise-grade reporting that helps drive other parts of their business,” notes Angeley. “Since we’ve been collecting information and working with our customers to create and identify key performance indicators in their account, we’ve learned that success goes beyond the phishing rate you see on your dashboard.” 

Other indicators of the strength of your security culture

Most organizations with security awareness programs are familiar with some of the more common phishing-related metrics, such as the report rate and the time to report. Many others also have methods to measure the impact of security awareness programs among their employees, such as collecting feedback from courses or surveys.  However, with IBM reporting the average cost of a data breach is at an all-time high of $4.24 million, Angeley and Filip wanted to help organizations go beyond these metrics and use additional data analysis tools and key performance indicators to spot trends and measure success. While there are several dimensions to these metrics, Angeley and Filip believe that they all boil down to identifying ways to measure and increase engagement to mitigate security risk.  “This is an important correlation because engaged learners learn more effectively, retain more, and are less likely to fall victim to a security attack,” emphasizes Angeley.

Comprehensively measuring security awareness

Angeley and Filip help organizations take advantage of Infosec’s Security Cultural Surveys, which measure the performance of security awareness programs with questions that tie back to five different domains. Able to be completed once a year or biannually, the five domains that Infosec’s Security Culture Survey covers include: Confidence: How learners feel about putting their security knowledge to practical use. These questions are a great way to identify the maturity of a security awareness program over time. 

Sample Question: How confident are you that you would know what to do if you witnessed a cybersecurity incident? 

Responsibility: How well learners understand their role in implementing their organization’s cybersecurity program.

Sample questions can cover specific policies and procedures expected for employees in a specific functional role (i.e., human resources professionals keeping data private)

Engagement: The number of employees completing the required cybersecurity awareness training on time and how relevant the program is to their role in the organization.

Sample Question: How relevant is the cybersecurity training you receive at work to your life and activities outside of work?

Trust: How employees perceive IT and security in their organization and their perception of the strength of their existing security program.

Sample Question: How comfortable are you reaching out to your IT or security team for assistance? 

Outcomes: How well do employees understand the impact of a security incident on the health or reputation of their organization.

Sample Question: How seriously do you think a cybersecurity issue would be taken if you reported one at your workplace?

How to take your cybersecurity awareness program to the next level

There is more to a strong cybersecurity awareness program than just phishing training, regular training, and at least an annual survey.  So what are some of the recommendations that Angeley and Filip have for organizations to bolster their overall security programs?

Identify champions from across the functional areas within your organization that can act as an extension of your security team and help communicate across groups. Focus on building trust in your organization’s IT and security teams by resolving issues that result in workarounds, highlighting successes, and recognizing staff that demonstrates your program’s values. Find ways to keep security training new and relevant, including updated statistics case studies and gamifying the training to encourage healthy competition. Refine training topics and regular communications based on organizational events or based on overall behavioral trends . Engage managers and executives in helping to promote and encourage involvement in the security program.  Develop key performance indicators and a regular reporting mechanism to track the security program’s metrics over time. Partner with other functional experts within your organization, such as the training and learning professionals within the Human Resource department. Establish a consistent schedule to promote and highlight your security program, even utilizing a tool to automate the process and communications.

Bringing it all together

While there is broad agreement across organizations about the value and importance of cybersecurity, especially the role each employee plays, EY reported that only 29 percent of Fortune 100 companies utilize security awareness programs.  Your organization can be different. Fortunately, you don’t have to lay the groundwork for a strong, measurable, and agile security awareness program on your own. Experts like Angeley and Filip, believe that taking a people-first approach and utilizing trusted and refined tools like the Infosec IQ Cybersecurity Culture Survey can help your organization be better prepared for the threats of tomorrow.    

Sources 

Cybersecurity is Greatest Post-Pandemic Concern in 2021, According to MetricStream Risk Management Survey, PRNewswire 2021 Data Breach Investigations Report, Verizon Employee Negligence Remains the Biggest Threat in Data Breaches, Bitdefender The ROI of Security Awareness Training, Mimicast and Osterman Research Cost of a Data Breach Report 2021, IBM and the Ponemon Institute What companies are disclosing about cybersecurity risk and oversight, EY