How do you measure the success of your security awareness program (SAP)?
Even with metrics and testing, the numbers only tell us when and if employees have completed training. Not if the training had a positive impact on an organization’s efforts to prevent breaches or data leaks. Not if it changed anyone’s behavior. Not if someone hated it or really felt like they learned something from it.
So how do you obtain that information? How do you know if your program is working beyond the scope of quizzes and courses? Simple: ask your employees.
If you want to gauge the impact of your SAP, get feedback from the people enrolled in it. They’re the only ones who can tell you what’s working and what’s not, which parts resonate with them and which fall flat, and which topics they want to learn more about.
In other words, no SAP can evolve and stay ahead of the security curve without open, honest feedback from the people you are training. If, for example, your users hate certain types of content or there’s too much training interrupting their workflow, that negative reaction stumps the learning process; a frustrated user isn’t learning anything. But without asking for feedback, how do you know when to make changes or, more importantly, what changes are needed?
Of course, getting usable feedback can be difficult. Here are a few ideas to get you started.
Foster a culture of trust.
Building a corporate culture of trust offers more benefits than we can possibly list in this space. And it goes well beyond the scope of security training. For our purposes, even your most resistant employees need to feel not just comfortable in voicing their concerns, but also encouraged to do so.
Transparency is your best friend. When you launch your program, you share a vision with your employees of an organization that prioritizes security. Make it clear from the start that it’s an all-inclusive vision with room to grow and evolve.
For example, you want them to know why they are being forced to watch videos or sit through courses. You want them to understand their roles in preventing cybercrime and protecting customer information. And you want them to know that they have a say in the direction of your program and their education. How do you achieve this? By building trust between employees and management, at every level.
Run yearly surveys.
Surveys provide a simple and effective method to poll your user-base. They’re the best way to customize the information you need the most. How often you should run them depends on the needs of your organization. Newer programs might benefit from quarterly surveys, whereas mature programs may only need yearly ones.
Frequency aside, one thing all surveys need is efficiency. Meaning they need to ask the right questions. No one wants to sit through a 20-minute survey, and management certainly doesn’t want to waste employees’ time. So it’s important to focus on getting usable feedback in a fast and concise manner.
Use the classic suggestion box.
Archaic as they may seem, suggestion boxes offer a completely anonymous option for giving honest feedback. In truth, if you have a culture of trust already established, this option isn’t necessary. But if you’re experiencing tension or resistance in your current program, this is an easy, time-tested starting point.
There are dissenting opinions on whether or not anonymous feedback is a good thing. This article argues that anonymity, though helpful in some cases, serves as a mediocre solution. Others argue that anonymous feedback empowers employees and managers alike. In fact, the latter article explains feedback as an equation:
employee * (management + feedback) = employee development + business improvement
That’s a fantastic way of thinking about feedback, whether it’s anonymous or candid.
Now that you’ve collected all of this fabulous data from your users, how do you implement it? You need to demonstrate to employees that you value their feedback, and that the survey wasn’t just a PR move to falsely promote morale. A culture of trust values and encourages transparent feedback. And even if the employees’ requests aren’t possible or don’t fit your objectives, it’s still crucial that you follow up with them and explain why.
Feedback is an invaluable resource that focuses on adjustment and reinforces positive behavior, all while identifying and correcting small issues before they become big issues. And we want to hear about your experiences! Have ideas for getting feedback from end users? Or have you been a part of a program that encourages feedback? Tell us about it in the comments!
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019