Measure What Your Employees Know About Information Security
Before you launch your information security awareness and training program, did you put any mechanisms in place to measure what your employees think, learn and retain on information security?
To have an effective security training program, you will want to have metrics in place from the beginning. If you donâ€™t already measure what youâ€™re doing, get ready to start measuring. Measurements will help establish a baseline of your employees and your institutionâ€™s knowledge of, ability and skills in information security. Metrics also help show you where the â€œholesâ€ are in your current training initiatives that may be fixed to improve the methodology and/or content of training programs. Measuring training effectiveness can also be useful in validating the competency of the training entity itself.
Regular documentation of metrics gives proof of an institutionâ€™s level of commitment to understanding regulatory requirements, implementing technical solutions and teaching and reinforcing behaviors to meet the institutionâ€™s security policies. Using metrics to evaluate training effectiveness can also establish a positive effect on the institutionâ€™s attitude toward information security.
You can start with a â€œbeforeâ€ training assessment test, and ask staff attending the awareness training to complete a short questionnaire on their knowledge of the subject of information security at your institution. Give the same test with the same questions after the awareness training. Then compare the two sets of scores against each other. This would only begin your metrics program to measure awareness of information security across your institution. You may want the basis of your institutionâ€™s evaluation method and metrics program to be modeled on the Kirkpatrick model.
Widely regarded as â€œthe father of corporate training,â€ Dr. Don Kirkpatrick developed the most widely employed method to evaluate learning achievement, and it is called (of course) the Kirkpatrick method. For more than 40 years this model has been used to measure learning effectiveness. This model was published in a series of training and education journal articles in the late 1950s. Kirkpatrickâ€™s four-level learning model (reaction, learning, behavior and results) is the most widely used and accepted method for measuring learning effectiveness today. His book, â€œEvaluating Training Programs: The Four Levelsâ€ is a good place to begin when deciding what your institution will measure in your information security training programs.
By using Kirpatrickâ€™s education model and the security industry best practices, financial institutions can successfully assess the effectiveness of its security awareness training program, measure the results, and further improve the training available to employees.