About the author: Huda Ali has a passion for security awareness. In her role as Protection Services Team Lead at ISA Cybersecurity, she guides her team in delivering compelling security awareness programs for internal and external stakeholders alike. Her leadership abilities, proven teamwork skills, and extensive cybersecurity experience combine to help our customers develop a security-conscious culture and a strengthened cyber posture.
Security awareness training is widely recognized as an essential part of your corporate cybersecurity program. But how can you tell whether staff training is making any difference? As a Protection Services Team Lead at ISA Cybersecurity, I’ve helped many organizations use KPIs (key performance indicators) to measure the effectiveness of their security awareness programs. Today I’d like to share why it’s so important to use metrics – and present my top 6 most useful and insightful security awareness training metrics to use when assessing the performance of your programs.
Benefits of Program Measurements
1. Trends over Time
Tracking metrics over time is critical to help show how your program is performing. When starting a new program, it’s vital to take a baseline measurement of your starting state, then take regular performance measurements as you conduct further testing. This will help demonstrate the effectiveness of your programs, helping you build a case for continuing budget and program support. Without them, you can’t tell how your program is doing.
2. Decision Support
Having clear data on the performance of your security program gives you the information you need to make decisions on the nature of your security initiatives. If your staff has low numbers on recognizing phishing attacks, future training efforts can be focused on this area to improve results. Additional testing can be done to raise the level of vigilance among staff.
3. Communications
Having strong numbers in your security program is an important piece of information to share with your leadership team or board, illustrating your team’s commitment to security. Using KPIs and other metrics helps demonstrate security awareness ROI, and helps you explain your performance in a concrete, measurable way.
My Top 6 KPIs and Metrics
So, which KPIs and metrics should you track to support your security awareness training program? Here are the stats that I find to be the most insightful:
1. Security Awareness Training Completion Rate
A training completion rate indicates the proportion of employees who have completed security training. A rate of 90% or more suggests that your employees are engaged and recognize their responsibilities in maintaining current security training. I find that a completion rate of 70% or less may indicate that a training program is too complex or uninteresting, or that staff are not serious about security.
I like to extend completion rate stats to other areas as well. For example, you can track how many staff have completed security culture surveys or have acknowledged reading your acceptable use and security policies. This should be tracked among new hires, and on an annual basis thereafter. All of these numbers will help you keep your finger on the pulse of your programs.
2. Phishing/Social Engineering Simulation Clickthrough Rate
A clickthrough rate (also known as “phish prone percentage”) measures the percentage of employees who click on bad links delivered through simulated phishing emails. Obviously, a “zero” clickthrough rate is the ultimate target, but an acceptable range for phishing simulation results is between 0-5%. I get concerned when I see a clickthrough rate of over 20% or so: that’s a signal that staff may not be adequately trained or sufficiently vigilant in avoiding suspicious links. Supplementary security features like web content filtering and EDR act as a safety net, but as we say at ISA Cybersecurity, your people are your first line of defense against potential malware events and attacks.
3. Phishing/Social Engineering Reporting Rate
The other side of the coin on measuring phishing campaigns is calculating the percentage of employees who correctly report simulated phishing emails. Not clicking a bad link is a good outcome, but doesn’t necessarily tell you whether the individual recognized that the email was indeed a phishing attempt. If your system allows staff to report suspected phishing links, this can provide a clearer indication of their awareness and recognition. A phishing reporting rate of over 80% is a strong indicator of good security awareness and attention to detail.
Be sure to measure the number of incorrect phishing reports as well (i.e., emails that were flagged as phishing attempts but were benign). An incorrect reporting rate of under 10-15% is a reasonable target. If false positive reporting is too high, this creates undue effort for your response teams and suggests that staff are not adequately trained in recognizing phishing attempts, or are confusing spam with phishing messages.
4. Time to Report Incidents
Beyond measuring response times to simulations, I find it useful to measure the average time it takes employees to report suspected security incidents. Seconds count when responding to potential issues, so rapid recognition and reporting by your staff is not only an indication of their awareness, but can pay off in helping to contain actual incidents more quickly. Acceptable ranges for security incident response time will depend on your industry, but typically staff should be reporting incidents within an hour of the suspicious event. If the average response time is over a day, this may indicate that staff aren’t aware of the appropriate reporting procedure, or don’t have a place to turn when they have concerns.
5. Engagement/Knowledge Assessment Scores
Your security awareness training platform should offer the ability to conduct milestone tests during the training session to gauge staff engagement, awareness, and understanding of content. Too often security quiz scores are only used to make sure staff are paying attention “in the moment.” I think you can draw deeper insights from this information. Evaluating the results of the spot tests provided during your employee security knowledge assessments can help pinpoint areas where the content may not be clear, or where more detailed information should be provided to improve knowledge retention. Be sure to check those scores to improve the effectiveness of your content delivery.
6. Security policy violations
Certainly, a clear measurement of the effectiveness of your program is the number of security policy violations that occur before and after your training initiatives. Consider an example like misdirected emails. Track the number of reports of misaddressed or misrouted emails before your program started, then capture the number of incidents over time, mapping the incidents to your training events.
A caveat when analyzing security policy compliance metrics, because they can be complicated. Let’s consider our example: are numbers declining because people are being more cautious, or because fewer people are reporting incidents because your program is inadvertently creating fear of the consequences of reporting? Are numbers going up because of staff efforts to be more transparent, or because of other environmental changes (e.g., new staff aren’t being trained properly, system changes or workloads are causing personnel to rush their communications). More than any of the other metrics, it is important to look deeper at this data to understand the context behind any trend numbers.
Don’t Just Train… Measure Too!
When I help customers design their security awareness programs, I make sure to consider these metrics. These KPIs provide quantifiable measures of the performance of your security awareness program, and can help identify areas for improvement, help you benchmark against industry standards, and demonstrate the overall effectiveness of your efforts to stakeholders.
As part of our managed security awareness services, ISA Cybersecurity can help you implement and manage programs that can make measurable improvements in your teams – and your overall security posture. Contact us today to learn more.
