There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This seventh blog in this series of 8 is about whether your awareness programme is having the desired effect.
The only way to find out whether your programme is having the desired effect is to assess it. You have already defined the desired behaviour that you want to achieve. But you will also want to know how to measure the behavioural factors and the current situation (baseline measurement), so that you know the what the difference is when you reassess.
There are several methods you can use to measure the effect of your programme. You can ask about the impact of your programme by using surveys or interviews. Or you can collect evidence of desired and undesirable behaviour by deploying a mystery guest or by sending simulated phishing emails. A combination of a number of methods is often more effective than when only one method is used. A list of examples is available in the Cybersave Yourself Toolkit.
It is important to decide in advance how you will conduct the measurements and to make sure they are reproducible. This is the only way to ensure you can make a good comparison. With conducting measurements at set intervals, you can assess whether sub-activities of the awareness programme are leading to the desired outcomes. You should perform an overall impact measurement once all awareness activities have been completed. This will answer the question of whether the security awareness situation within the institution has changed compared to the situation before the start of your campaign.
Next step
You now know what the desired effect of your awareness programme is, what resources you want to deploy to achieve this, and how you can measure it. You’re now ready. In the next blog, we will describe how to get started with your awareness programme.
Other blogs in this series:
- Blog #1: The utility and necessity of awareness
- Blog #2: Why an awareness programme?
- Blog #3: Who are your target groups?
- Blog #4: What is the overall aim and desired behaviour?
- Blog #5: Which factors affect behaviour?
- Blog #6: What actions and interventions should you use to encourage the desired behaviour?
- Blog #8: Implementing the programme
About the authors
This series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022