How to Set Goals for your Awareness Training

In this article, we’ll help you reflect on some of the important questions that'll guide your training.

What is it you want to achieve? 

First, it’s important that you consider what it is you want to achieve, as there can be several effects from security awareness training. Goals could be: 

  • Fewer data and security breaches 
  • GDPR compliance or other compliance-based effects 
  • Building a security culture where all employees feel empowered and safe to speak up if they spot a breach 
  • Something completely different 

Whatever your goal is, it also affects how you'll use the training. If it’s “just” to tick off a compliance checkmark, then that’s fine. You can send out a course every second month and go to bed…  

But you probably won’t reach the full potential of the training. 

That's why we recommend viewing the training as a tool to increase your organisation's security culture.

See the training as culture change 

In our eyes, awareness training is a tool to help you build a security culture. It’s not the only tool, but a part of all your security work, just like phishing training is.

If you want to succeed in creating a security culture, you can’t just send out some courses and forget about them. You need to follow up and create the processes and space for people to succeed in creating security.  

It might not be the easiest to measure, but rarely is employee security and behavior. 

Know that culture change is hard to measure

Here’s an example of why it’s difficult to measure.

We’ve had customers who wanted to see fewer reported security breaches as a result of awareness training, because they thought this would indicate a stronger security culture with less mistakes. But they actually ended up with MORE reported breaches than before the training. This raised some eyebrows, but it actually turned out to be a good thing.  

It turned out that the reason for the increase in security breaches was not because the customer was actually being targeted by more criminals, but because employees were finally spotting and reporting the breaches that had always been there.  

The training was a success, and the employees actively helped to strengthen the organisation's security.  

But you can get insight into your culture and the impact of training by making observations

You can learn a lot about the effect of the training by observing your company.  

  • Is security a part of everyday life?  
  • Do people talk about it?  
  • Do people report breaches?  
  • Do they ask if they are in doubt of something?  
  • Do they warn each other about phishing emails?  

If you can begin to say yes to these questions, it’s because the awareness program and your other initiatives are working.  

Consider any previous experience with training and cybersecurity

When setting your goals, it can be helpful to consider any past experience you have training your colleagues in cybersecurity.

  • How did it go? 
  • What are your key takeaways from the training?  
  • What was the theme of the training? (e.g., if the training was about updating software, it might not be necessary to send out a course about that in the near future)  

A goal could be to get higher engagement than a previous training initiative. Or to increase knowledge about a topic of specific relevance to your organisation. 

If you need some guidance setting goals for your training, your customer success manager is always there to help. 

 

Got a question?

Contact us at support@cyberpilot.io