Measure What Your Employees Know About Information Security
Before you launch your information security awareness and training program, did you put any mechanisms in place to measure what your employees think, learn and retain on information security?
To have an effective security training program, you will want to have metrics in place from the beginning. If you don’t already measure what you’re doing, get ready to start measuring. Measurements will help establish a baseline of your employees and your institution’s knowledge of, ability and skills in information security. Metrics also help show you where the “holes†are in your current training initiatives that may be fixed to improve the methodology and/or content of training programs. Measuring training effectiveness can also be useful in validating the competency of the training entity itself.
Regular documentation of metrics gives proof of an institution’s level of commitment to understanding regulatory requirements, implementing technical solutions and teaching and reinforcing behaviors to meet the institution’s security policies. Using metrics to evaluate training effectiveness can also establish a positive effect on the institution’s attitude toward information security.
You can start with a “before†training assessment test, and ask staff attending the awareness training to complete a short questionnaire on their knowledge of the subject of information security at your institution. Give the same test with the same questions after the awareness training. Then compare the two sets of scores against each other. This would only begin your metrics program to measure awareness of information security across your institution. You may want the basis of your institution’s evaluation method and metrics program to be modeled on the Kirkpatrick model.
Widely regarded as “the father of corporate training,†Dr. Don Kirkpatrick developed the most widely employed method to evaluate learning achievement, and it is called (of course) the Kirkpatrick method. For more than 40 years this model has been used to measure learning effectiveness. This model was published in a series of training and education journal articles in the late 1950s. Kirkpatrick’s four-level learning model (reaction, learning, behavior and results) is the most widely used and accepted method for measuring learning effectiveness today. His book, “Evaluating Training Programs: The Four Levels†is a good place to begin when deciding what your institution will measure in your information security training programs.
By using Kirpatrick’s education model and the security industry best practices, financial institutions can successfully assess the effectiveness of its security awareness training program, measure the results, and further improve the training available to employees.