Published: July 17, 2023
Author(s)
Jody Jacobs (NIST), Julie Haney (NIST), Susanne Furman (NIST)
Conference
Name: 10th International Conference on HCI in Business, Government and Organizations (HCIBGO)
Dates: 07/23/2023 - 07/28/2023
Location: Copenhagen, Denmark
Citation: HCIBGO: 10th International Conference on HCI in Business, Government and Organizations, vol. 14038, pp. 14-33
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (e.g., training completion rates) rather than measuring actual impact. Few studies have begun to discover approaches and challenges to measuring security awareness program effectiveness within compliance-focused sectors such as the United States (U.S.) government. To address this gap, we conducted a mixedmethods research study that leveraged both focus group and survey methodologies centered on U.S. Government organizations. We discovered that organizations do indeed place emphasis on compliance metrics and are challenged in determining other ways to gauge success. Our results can inform guidance and other initiatives to aid organizations in measuring the effectiveness of their security awareness programs.
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (e.g., training completion rates) rather than measuring actual...
See full abstract
The goal of organizational security awareness programs is to positively influence employee security behaviors. However, organizations may struggle to determine program effectiveness, often relying on training policy compliance metrics (e.g., training completion rates) rather than measuring actual impact. Few studies have begun to discover approaches and challenges to measuring security awareness program effectiveness within compliance-focused sectors such as the United States (U.S.) government. To address this gap, we conducted a mixedmethods research study that leveraged both focus group and survey methodologies centered on U.S. Government organizations. We discovered that organizations do indeed place emphasis on compliance metrics and are challenged in determining other ways to gauge success. Our results can inform guidance and other initiatives to aid organizations in measuring the effectiveness of their security awareness programs.
Hide full abstract
Keywords
security awareness; training; government; effectiveness; metrics; mixed-methods
Control Families
None selected
