by ThinkCyber | Reading time: 6 minutes
Most organisations now accept the need for a Security Awareness Training programme in some form or other. But what’s the use of this programme if you’re not measuring its effectiveness? More importantly, what if you’re not measuring the right thing?
One metric many practitioners focus their energy on is measuring click rates in phishing simulations, believing sometimes that a lower or higher click rate reflects how effective their awareness programme is. This approach overlooks other more critical (and useful) metrics such as the reporting rate on the simulations.
In this blog, we will explore why measuring positive behaviour change should be at the forefront of any cyber-security awareness strategy. For example, shifting the balance to focus more on reporting rates, rather than measuring the absence of a "bad" behaviour, like click rates.
Phishing simulations have become a staple of cyber-security training programs. These simulations involve sending fake phishing emails to employees to see if they are lured by the bait, by clicking on malicious links or disclosing sensitive information. Measuring the click rate, i.e., the percentage of employees who take the bait, has been a common way to gauge an organization's susceptibility to phishing attacks. While this metric provides some insights, it has its limitations.
As we have mentioned in a previous blog, it can be hard for staff to contextualise training delivered after the fact due to ego and cognitive biases. We are very good at convincing ourselves that we didn’t actually click (it must be some mistake) or that there was a very good reason we acted the way we did, we will take on information that justifies that and ignore information that conflicts with our current world view. This can make it hard for organizations to gain valuable data that could help them understand why certain employees clicked on links and what they can do to prevent it.
Instead of fixating on click rates, organizations should prioritize measuring factors like the reporting rate—the percentage of employees who report suspicious emails or activities. Here's why reporting rates are a more critical metric:
A shift to measuring a “positive” behaviour or habit employees can develop around their interactions with emails, such as reporting, can be taken even further by applying behavioural nudges such as:
Whereas the punitive post-click training approach of phishing tests can promote fear and inaction, these supportive nudges which improve confidence and self-efficacy, can build key behaviours into habits that employees will carry with them into all risky situations. We’ve recently seen clicks in emails from unknown senders reduce by 76% in just a few months at one client and have been able to measure a doubling of reporting rates at another. (If you want to see what this looks like in action, book a 15-minute demo here.)
While measuring click rates in phishing simulations has its place in cyber-security training, it should not be the principal focus. Instead, the reporting rate, reflecting employees' ability and willingness to report suspicious activity, is a more vital metric for assessing an organization's cyber security posture. Embedding coping strategies, such as checking the sender or checking for urgency/manipulation, as habits and measuring reduced overall clicks on links from unknown senders with tools such as Redflags® can take this even further.
By placing greater emphasis on positive behaviour change such as that measured through reporting rates, organizations can better prepare their employees to be the first line of defence against cyber threats. In this ever-advancing digital landscape, fostering a culture of security and early threat detection is paramount, and measuring positive behaviour change is the key to achieving these goals.