Editor's note: The following is a guest article from Richard Addiscott, senior research director at Gartner. Show
Phishing attacks, stolen credentials, business email compromise and other threats that take advantage of the potential for human error continue to plague businesses. As cyberthreat actors look to exploit these weaknesses to infiltrate systems, increasing an organization's security awareness can be the difference between blunting an attack and experiencing an enterprisewide disruption to critical business operations. Yet, security and risk management leaders face an ongoing challenge in demonstrating to themselves and to senior executives that the investment in a security awareness program is actually reducing organizational risk. Traditional metrics such as training participation, course completion and phishing simulation click-through rates are useful for measuring employee participation in the security awareness program's curriculum. But on their own, these metrics do nothing to prove that the enterprise program is shifting the behavior of the workforce in a way that reduces cyber risk levels. A failure to demonstrate the effectiveness of the enterprise security awareness program can result in a decrease in the hard-won executive support that's critical to ensuring organizationwide participation in the program. This will make it harder to secure the ongoing financial or resourcing support required to maintain momentum and reduce organizational risk. Here are three ways that security and risk management leaders can assess the effectiveness of their security awareness programs and prove to stakeholders that programs are helping to adjust end user behavior — in turn, reducing human-borne risk for the business. An effective security awareness program is designed in pursuit of driving behavioral change among end-users. A clear vision statement and culture charter can help to identify and articulate what this change should look like. To develop this vision, security leaders should first identify the desired security practices they want to see embedded into end users' day-to-day actions. This would include statements like:
Then, establish a cross-functional team of volunteer representatives from various business units to build a clear vision statement for the security awareness program. By using a cross-functional working group, it's more likely that the desired security behaviors will be articulated in a way that resonates with the broader workforce, not just the security team. The vision statement must align with desired business outcomes, too. Simple examples include statements such as: "Our people are our greatest security weapon," or "We are a security-conscious workforce." After developing the vision statement, the cross-functional team should leverage the list of desired security practices and articulate signature behaviors that would be on display if the security awareness program achieved its desired vision. Signature behaviors are those that clearly reflect positive intent and support by end users for realizing the security awareness vision. For example, if the desired practice is to check links before clicking them, the corresponding signature behavior could be: "We are alert to suspicious emails and report them to the IT service desk." To introduce these new practices, security leaders should combine the new security awareness vision and signature behaviors into a single document called a security culture charter. After being presented to the executive team for sign-off, the charter can be disseminated across the organization via channels such as targeted emails, lunch and learn sessions, posters and desktop screensavers, or security champion networks. Most computer-based security awareness training platforms offer reports on training completion rates or phishing simulation click rates. While it's important to know who is completing the training, such reports lack information on its effectiveness in reducing risk. The key objective for any enterprise security awareness program should be to shape employee behavior so that it reduces the likelihood and impacts of security incidents. Outcome-driven metrics (ODM) measure such outcomes and ties them back to measurable protection benefits. SRM leaders should use ODM to indicate an operational and/or benefit outcome aligned to the behavioral statements crafted as part of the security awareness vision and culture charter. For example, operational outcomes derived from key behavioral indicators could include:
Once the operational outcome metrics data has been collated, the next critical element is to link these insights to business drivers. Start by measuring the impact of human-borne cyber risks and mapping them to benefit outcomes, such as:
Should any of the benefit outcome metrics above not show signs of improvement over two or more reporting periods, it indicates potential issues with the security awareness training program. This enables security leaders to improve the program proactively, without losing any significant momentum on the culture change underway. The next step is to take these benefit outcomes and link them to the business drivers and benefits that are of interest to the organization's senior executives. Determine how the metrics and narrative used can be linked to the business strategy and associated business drivers, such as revenue/growth, cost management, risk and brand reputation. Putting this all together, look at phishing awareness training as an example of how to demonstrate the measurable business benefits of a specific security awareness training activity. This approach can be used for various security awareness training activities to provide information that will help build an executive perspective of the effectiveness of the security awareness program. Having a clear vision and using outcome-driven metrics linked to measurable business benefits is key to maintaining support for the program in the long-term.
Security awareness training is a strategy used by IT and security professionals to prevent and mitigate user risk. These programs are designed to help users and employees understand the role they play in helping to combat information security breaches. Effective security awareness training helps employees understand proper cyber hygiene, the security risks associated with their actions and to identify cyber attacks they may encounter via email and the web. Why do your employees need security awareness training?Research suggests that human error is involved in more than 90% of security breaches. Security awareness training helps to minimize risk thus preventing the loss of PII, IP, money or brand reputation. An effective awareness training program addresses the cybersecurity mistakes that employees may make when using email, the web and in the physical world such as tailgaiting or improper document disposal. Use phishing tests to increase security awarenessIt’s easy to set up a phishing email test campaign on the Mimecast Awareness Training platform. In under 10 minutes, you can be ready to deploy a phish template to your users:
What are best practices for how to approach awareness training?Effective security awareness training focuses on engaging today’s workforce to reduce user risk. Many security awareness training programs ignore education best practices, delivering training in one-off sessions that overwhelm users with information or worse, are forgettable. For training to stick, it needs to be persistent, delivered regularly in small doses, to fit employees’ busy schedules. Most importantly, positive reinforcement and humor performs better than fear-based or boring messaging to improve retention of critical security topics. Why choose security awareness training from Mimecast?Mimecast security awareness training is highly effective at changing employee attitudes and behavior around critical security practices. Additional benefits of include:
Critical security awareness training topicsMimecast Awareness Training regularly releases new training modules to keep content fresh for your users and reflect emerging security threats your organization faces. In addition to 12 to 15 annual training modules focused on information security topics, Mimecast releases monthly shorter trainings based on trending cyberattacks or season scams and specialty topics covering new data privacy regulations. Topics include, but are not limited to:
Additional security awareness training FAQs:How long does it take to build a security awareness training program?The time required to build an IT awareness security program depends on the technology and methodology you choose. As an online platform, Mimecast Awareness Training can be deployed and configured quickly, rolling out awareness training to a global workforce easily. How often should you conduct security awareness training programs?Data shows that employees are far less likely to retain information from a cybersecurity awareness training program if the program is conducted infrequently and requires a large time investment. Some cybersecurity training programs require hours of an employee’s time often leading to employees tuning out the training and simply going through the motions to check the requirement off their to-do list. Mimecast Awareness Training is different. Our engaging, seriously funny 3- to 5-minute modules are delivered monthly to make training a regular part of an employee’s responsibilities without overwhelming them. How do you raise awareness on cybersecurity?Cybersecurity awareness is a journey - by regularly providing cybersecurity awareness training to employees in a fun and educating way, you can make cybersecurity everyone's role. How much does a security awareness training program cost?The cost of an effective security awareness training program will vary depending on the size of your organization. Both small to mid-sized businesses and global enterprise organizations can implement Mimecast Awareness Training for a fraction of what a successful cyber breach costs a company in revenue losses. For added layers of security and additional cost savings, Mimecast Awareness Training can be bundled into a number of comprehensive cybersecurity plans. |