Published: August 7, 2022
Author(s)
Jody Jacobs (NIST), Julie Haney (NIST), Susanne Furman (NIST)
Conference
Name: 8th Workshop on Security Information Workers (WSIW 2022)
Dates: 08/07/2022 - 08/09/2022
Location: Boston, MA
Citation: 8th Workshop on Security Information Workers (WSIW 2022), pp. 1-8
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (training completion rates) rather than measuring actual impact. Few studies have begun to discover approaches and challenges to measuring security awareness program effectiveness, particularly within compliance-focused sectors such as the U.S. government. To address this gap, we conducted a mixed-methods research study that leveraged both focus group and survey methodologies focused on U.S. government organizations. We discovered that organizations do indeed place emphasis on compliance metrics and are challenged in determining other ways to gauge success. Our results can inform guidance and other initiatives to aid organizations in measuring the effectiveness of their security awareness programs. While the research focused on the U.S. government, our findings may also have implications for other sectors and countries.
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (training completion rates) rather than measuring actual impact....
See full abstract
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (training completion rates) rather than measuring actual impact. Few studies have begun to discover approaches and challenges to measuring security awareness program effectiveness, particularly within compliance-focused sectors such as the U.S. government. To address this gap, we conducted a mixed-methods research study that leveraged both focus group and survey methodologies focused on U.S. government organizations. We discovered that organizations do indeed place emphasis on compliance metrics and are challenged in determining other ways to gauge success. Our results can inform guidance and other initiatives to aid organizations in measuring the effectiveness of their security awareness programs. While the research focused on the U.S. government, our findings may also have implications for other sectors and countries.
Hide full abstract
Keywords
measures of effectiveness; security awareness programs; mixed-methods
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
