IT Security Managers, Chief Information Security Officers and Information Security Officers, will all be involved in the evaluation, selection and implementation of hardware and software products and services in their organisations. This is common practice, and many organisations are members of organisations such as ISACA or the Information Systems Security Association (ISSA) which provide support, guidance, qualifications and a robust approach to system control.
When we consider the ‘users’ of the systems, hardware and software, how confident are you that there is a robust approach to evaluating the outcomes of training delivered?
System vulnerability can come from misconfiguration as easily as it can come from user error. In an organisation with 5000 employees - that is 5000 points of vulnerability. Therefore, robust evaluation of the impact of training and investigation into the subsequent progression toward the application of secure behaviours is a must.
Ask yourself, would you have a Tesla Model 3, considered one of the safest cars in the world, and let a driver with a provisional licence drive it unsupervised? You would probably want them to know how to operate the 15 inch touchscreen control unit, you would also want them to know the essentials of safe driving and how to be a responsible driver. You would not want them operating in the hope that the car will always take control and account for every situation.
Applying this to the modern workplace, are you confident that, using the example above, all ‘5000’ employees, know how to use your systems securely and are consistently applying the essential cyber hygiene rules on a daily basis?
Does the fact that 90% of your workforce completing their mandatory training tell you that they apply all the knowledge in their day to day practice? No, that figures just tells you attendance figures.
The assessment linked to your training will tell you the number of people with short term memory recall and if we are being generous, it will tell you about knowledge acquired. But did you know that new knowledge gained will fade over a short period of time. The Ebbinghaus ‘Forgetting Curve’ suggests that within 24 hours new knowledge has faded from memory by 70%.
There is much you can do to improve your employees’ knowledge retention, including ensuring that training is engaging, interactive, has meaning and day to day relevance, is delivered in bite size chunks (5-10 minute courses) and so on. However, the single most important improvement that can be made is ensuring the immediate application of knowledge in the workplace. For example, if someone has just completed a micro-learning module on the creation of long and strong passwords, their manager should immediately ask them what they are going to do differently having completed the training. This should then be discussed 1 week later and then at regular intervals.
Back to our driving analogy, driving instructors say the main prompt they have to repeat every lesson is to remind the learner to look in their mirrors. Less than 50% of learners pass their test first time and the most prevalent reason for failure is insufficient road observation and use of mirrors.
Back to our modern workplace, regular prompts, reminders and questioning are essential to enable people to embed the essential cyber hygiene rules.
But how do you know what secure practices people are applying to their day to day work? How safe are they? People will tell you what they know, but are they actually doing it?
There will be some evidence of behaviour through, for example, the number of reported incidents and simulated phishing exercises. But there are many more aspects to cyber hygiene that need monitoring and evaluating.
If you were to apply the level of robust evaluation to the application of training as to system control, then a robust evaluation tool is needed.
The Security Awareness and Behaviour Research (SABR) tool does just that. It has stood the test of time being used for over 20 years by industry leaders across sectors including, manufacturing, retail, finance, telecommunications and utilities.
With recent developments within the tool, it will be able to map your organisations security culture maturity. It covers five dimensions from engagement with security, authentication, data privacy and information handling, physical security and organisational environment.
It will tell you, from your employees’ perspective, not only what they know but also what they do.
To take your organisation to the next level in security maturity or if you would like more information about the SABR as a robust evaluation tool, call or email Jenny Mandley on +44 (0)1234 707 026, jenny.mandley@thesecuritycompany.com.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
