In today’s blog, we’ll share some recommendations on how to test and measure the effectiveness of your security awareness program. How do you know if you are making an impact? What can you actually measure? How do you know if you’re measuring the right things?
In answering these questions, you need to first establish your goals and metrics and determine if there is a baseline. For instance, let’s start with a key component that should be covered in every security awareness program – anti-phishing.
According to a recent report, credential theft, social engineering attacks like phishing and business email compromise caused the majority (67 percent) of data breaches. The report noted that attackers continue to use these tactics because they work, and that most organizations should put the “bulk of security efforts” into fighting those types of attacks.
Despite the effectiveness of phishing campaigns, click rates are “as low as they have ever been” at 3.4 percent, the same report said. Still, calculating the number of people who actually click on phishing emails at your organization could be a starting point for your organization’s anti-phishing campaign metrics, assuming you conduct click tests.
The threat actor only needs one open door, which is why phishing is still one of the most concerning threat vectors year after year. Let’s say you can show that 85 percent of the people in your organization don’t click – does that mean the training is effective? It’s a start, but there’s still much more to consider, such as how to address the other 15 percent.
Now, let’s look at another aspect of your training content. Are you training end users to report incidents? Are you being specific enough to be able to measure this?
While the same research mentioned above showed the rate of reporting is increasing, the following point can’t be emphasized enough. Your end users are your first line of defense and you need them to take two actions: don’t click the link and report it quickly.
The sooner your response team knows about a phishing campaign, the faster they can take technical actions to mitigate the incident. The data shows that on average, people who click on a phishing email will do so within an hour of receiving it. Thus, you want your savvier end users to act fast. This response time is something you can certainly measure with test campaign data, as well as real incident data, to track behavior changes over time.
We’ve focused heavily on the anti-phishing component of security awareness training and measurement in this blog. Let’s face it, we need to keep working on this because phishing continues to be a major threat vector in data breaches.
However, you should still be looking at other topics for security awareness training and measurement. Here are several more to consider:
- Malware
- Password security
- Removable media
- Safe internet habits
- Social networking dangers
- Physical security and environmental controls
- Clean desk policy (and its virtual equivalent for remote workers)
- Data management and privacy
- Bring-your-own-device (BYOD) policy
You may or may not currently include all these topic areas in your security awareness training program, but it’s a reasonable list to take a look at.
Summary
It’s unlikely you spend your full workday focusing on the security awareness programs at your organization. But, by highlighting some key areas of proven impact, like anti-phishing training, you should be able to validate your current state of program operations or gain a few new ideas to make improvements going forward and, just as importantly, to secure budget to fund new initiatives.