Measure What Your Employees Know About Information Security

Before you launch your information security awareness and training program, did you put any mechanisms in place to measure what your employees think, learn and retain on information security?

To have an effective security training program, you will want to have metrics in place from the beginning. If you don’t already measure what you’re doing, get ready to start measuring. Measurements will help establish a baseline of your employees and your institution’s knowledge of, ability and skills in information security. Metrics also help show you where the “holes” are in your current training initiatives that may be fixed to improve the methodology and/or content of training programs. Measuring training effectiveness can also be useful in validating the competency of the training entity itself.

Regular documentation of metrics gives proof of an institution’s level of commitment to understanding regulatory requirements, implementing technical solutions and teaching and reinforcing behaviors to meet the institution’s security policies. Using metrics to evaluate training effectiveness can also establish a positive effect on the institution’s attitude toward information security.

You can start with a “before” training assessment test, and ask staff attending the awareness training to complete a short questionnaire on their knowledge of the subject of information security at your institution. Give the same test with the same questions after the awareness training. Then compare the two sets of scores against each other. This would only begin your metrics program to measure awareness of information security across your institution. You may want the basis of your institution’s evaluation method and metrics program to be modeled on the Kirkpatrick model.

Widely regarded as “the father of corporate training,” Dr. Don Kirkpatrick developed the most widely employed method to evaluate learning achievement, and it is called (of course) the Kirkpatrick method. For more than 40 years this model has been used to measure learning effectiveness. This model was published in a series of training and education journal articles in the late 1950s. Kirkpatrick’s four-level learning model (reaction, learning, behavior and results) is the most widely used and accepted method for measuring learning effectiveness today. His book, “Evaluating Training Programs: The Four Levels” is a good place to begin when deciding what your institution will measure in your information security training programs.

By using Kirpatrick’s education model and the security industry best practices, financial institutions can successfully assess the effectiveness of its security awareness training program, measure the results, and further improve the training available to employees.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.