How to Audit Your Company Security Training Efforts
Security training is critical for all businesses—your weakest link is human error. Eliminate this risk by assessing your current training efforts.
This is a guest post by Justin Bonnema, of The Security Awareness Company. The views and opinions expressed in this blog do not necessarily reflect those of the PolySwarm organization nor is this considered professional advice.
We can all agree that every organization needs an effective security training and awareness program: “Adequate training for personnel can dramatically decrease the likelihood of a successful attack on a business. Unfortunately, as borne out by the recent attacks, businesses are continuously failing to adequately train their personnel,” says Michael R. Overly, CSO Online contributor.
Don’t let a lack of proper training lead to a costly attack or breach. Instead, perform a robust audit of those efforts, removing the guesswork and simplifying the challenging process of defending your organization against cybercrime.
Before you do, however, you need to know what constitutes success and how assess whether you’ve been successful in your training efforts or not. Get ready to audit your company security training efforts with these tips.
Identify Vulnerable Assets
A major part of risk management includes knowing which assets are at risk. After all, how you can you protect something if you don’t have a firm understanding of its potential vulnerabilities?
If this sounds familiar, then you’ve likely shown an interest in the NIST Cybersecurity Framework, which includes five functions in its core philosophy. “Identify” registers as the first function, defined as “Developing an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
This information provides insight on why attackers might target your organization and allows you to coordinate security training efforts accordingly.
Identify High-Risk Employees
Once you’ve determined which assets carry the most risk, perform an audit on who has access to those assets. Insider threats provide a difficult challenge for every organization. In fact, the recent Verizon Data Breach Investigations report found that 12% of data breaches involved privilege misuse and another 17% of breaches involved human error.
Error and misuse go hand-in-hand, but you can mitigate them, or at least mitigate their potential damage. Identifying high-risk users will help you determine if access controls need updating and if certain individuals require additional awareness training. Remember that more access equals more risk, especially considering the recent uptick in business email compromise.
Learn more about insider threats in our recent post:
Address the Right Metrics
If you can’t measure it, you can’t improve it. But how do you know if your phishing course is preventing clicks if you don’t measure the current rate of clicks? How do you know if your employees are bridging the gap between training and awareness if you don’t measure their behavior in some tangible way?
Gathering hard data paves a direct path to performance, good and bad. For example, organization-sponsored phishing campaigns will give you an indication of the click-happiness of your employees. Penetration testing will demonstrate whether your users can identify social engineering attacks, both in the cyber domain and in the physical domain.
If you can offer proof-of-concept to your superiors, they’re more likely to buy into your efforts, and hard numbers represent the most efficient, honest way to do that.
Encourage User Feedback
Metrics are important for collecting data, but not so great for revealing the emotional side of awareness training, which you can’t ignore either. If you truly want to know if your program works, ask the people enrolled in it.
Open, honest feedback nets two important results:
- It reveals potential weaknesses or gaps in training.
- It empowers your employees and gives them a sense of inclusion.
Some gaps in training may show up in the numbers when you assess metrics, but the numbers won’t tell you if certain employees desire more information on any particular subject. You also won’t be able to tell you if your users dislike certain types of content or if training interrupts workflow too often — most of us don’t want to sit through training sessions, but we can still provide options that employees don’t dread.
How you go about getting feedback depends on your organization. Regardless of how you achieve it, remember that transparency rules. This process doesn’t end with gathering feedback. You also need to demonstrate to your users that you value their feedback. Even if a certain request from an employee doesn’t fit your objectives; follow up with them and explain why.
Develop Employee Ownership
Frustration among employees creates resistance to learning. This highlights an imperative element of your company’s security culture: if your employees believe they have a say in their training, they’re more likely to bridge the gap between training and learning much faster. In this way, the program, they feel, belongs to them.
“Where there’s an opportunity to take initiative or bring ideas forward, it happens. Best of all, employees that rate high on taking ownership think like leaders,” explains Brennan Mceachran, contributor for Glassdoor.
Mceachran continues, “Accountability is the flip side of ownership. It’s about following through and delivering on everything you own. True accountability is key, because there is an exponential impact (a detrimental one) to a team when one person can’t make timelines or complete work as expected.”
Consider how you can develop a culture of security within your organization, where employees take ownership over techniques and initiatives to keep them and the company safe.
Use the Four Levels of Learning Evaluation
The Kirkpatrick Model, developed by Don Kirkpatrick in the late 1950s, to this day represents one of the most logical and useful formulas for evaluation. From reaction to results, the Kirkpatrick Model simplifies the relationship between successful training and a successful business via four distinct levels:
- Level 1: Reaction — What’s the reaction of participants towards the training program?
- Level 2: Learning — How much change in attitude and improvement in knowledge and skill is due to training?
- Level 3: Behavior — How much change in the behavior of the participants (in their workplace) is due to training?
- Level 4: Results — What kind of benefits to the organization were due to training?
Applying this model to your training efforts creates a system of checks and balances within your program. It also helps dissolve two challenging barriers: user buy-in and executive buy-in. By measuring reaction (getting feedback) and change in behavior (getting results), you create a flexible program, which is ultimately a successful program.
If you need to take your threat intelligence efforts to the next level, stay up to date with PolySwarm, which will allow you to crowdsource your cybersecurity efforts to a worldwide network of security experts.
Bio: Justin Bonnema is the senior writer for The Security Awareness Company. We specialize in creating dynamic, engaging content designed to change end-users’ behavior. From basic security training to one-on-one customized programs, our company has assisted hundreds of organizations across the globe improve their resilience to cybercrime.
