How Do You Know If Your Security Training is Working?
- Rehearsing for Reality – giving participants chance to try out their responses to complex security situations.
- Experiential Learning – where knowledge is gained by working collaboratively to create effective solutions to security problems.
- Thinking Like a Hacker – understanding security vulnerabilities by viewing the business through the eyes of a hacker.
Security Professionals who have commissioned interactive sessions from Layer 8 have commented on the immediate impact these workshops have upon participants’ attitudes toward security, but the feedback we get really excited about tells us that the impact felt in the session has then translated into a more meaningful ongoing process of change within the business.
“We were always trying new ways to engage employees with security. We found they’d listen, but then continue to behave as they always had done. It was only when Layer 8 introduced The Hackers’ Perspective technique that things started to change.”
Measuring the Ongoing Impact of Security Training
Measuring workshop impact not only provides an immediate snapshot of the benefits (or otherwise) of the activities participants have experienced, it also offers the opportunity to register three things in the minds of those participants:
- Participants undertake high risk activities in a safe environment – rehearsing for reality.
- Learning from mistakes is integral to the process – so skills improve.
- Simulations provide meaningful contexts for problem solving – consequences become important.
- Learning is hands on, experiential and enjoyable.
- Emotional responses to simulations are natural – participants become fully involved.
Our clients have found that a three-step evaluation process, spanning 2-3 months post workshop has proved the most effective way to gain maximum return on investment for the training session.
Step 1 – Evaluation
Everyone is used to filling in an evaluation form at the end of a session, and it can be quite a perfunctory exercise. It offers the opportunity, though, to include questions which prompt participants to actively integrate the knowledge they’ve gained from the workshop into their working practices:
What’s the most important thing you’ll take away from today’s session? (key learning)
- How will what you’ve learnt today affect the way you do your job? (behavioural change)
- How will you spread best practice you’ve learnt amongst your colleagues? (conversations)
Step 2 – Peer to Peer Learning
Rich qualitative data can be gained by using team meetings to review the workshop, talk about any individual actions that have arisen because of it, and discuss ways in which departments could work to integrate the knowledge gained into developing security behaviours. These tend to work well if they happen a couple of weeks after the workshop.
Step 3 – Survey
Running a security awareness survey across participants, a month to six weeks after the original event will demonstrate whether the knowledge is being applied, and take the temperature of participants as to the importance they now place upon secure behaviours in the workplace.
Security Training and Resilience as a Process
Following these steps ensures that you get maximum value from your initial training investment. The rich qualitative and qualitative data can immediately demonstrate strengths, weaknesses and vulnerabilities across your organisation.
For more ways to measure your developing security culture, take a look at Sans Security Awareness Metrics Matrix, which includes metrics for both measuring impact (change in behaviour) and for tracking compliance.