Friday, September 1, 2023

Numbers and Narratives: The Power of Qualitative and Quantitative Feedback

While technological prowess is crucial for cybersecurity, human factors are often the linchpin that determines an organization's susceptibility to cyber threats. As we navigate this ever-evolving landscape, the role of learning programs in enhancing cybersecurity awareness cannot be overstated. But how do we measure the effectiveness of these initiatives? The answer lies in a meticulous blend of quantitative and qualitative feedback.

The Quantitative Dimension

In the realm of cybersecurity learning programs, quantitative data acts as the backbone that offers empirical evidence of program effectiveness. This data, collected through various channels—from real-world cybersecurity incidents and metrics on employee reporting to targeted simulations and longitudinal studies—provides a measurable barometer of your organization's cybersecurity posture. It can also help tailor training materials to specific departments, evaluate ROI, and keep content up to date. This section will detail the key types of quantitative data that you should focus on, offering a robust framework for continuously enhancing your cybersecurity initiatives through actionable metrics.

  1. Cybersecurity Incident Data - Utilize real-world data on past incidents to simulate realistic scenarios in your training programs. For example, if there has been a rise in phishing attacks, including similar scenarios in your learning modules can help prepare the workforce better.
  2. Metrics on Incident Reporting - Review how many employees report potential cybersecurity events pre- and post-training. An increase in reports post-training could indicate higher awareness.
  3. Simulated Attack Responses - Phishing simulations can provide invaluable data. If 90% of your employees ignore a phishing email post-training compared to 50% pre-training, you know you’re on the right track.
  4. Longitudinal Data - Track the program's impact over time to identify trends. Maybe the initial spike in awareness drops after six months, indicating a need for refresher courses.
  5. Employee Testing Data - Compare employee cybersecurity test scores before, immediately after, and three months post-training to assess knowledge retention.
  6. Performance by Department - Do tech departments outperform sales in cybersecurity awareness? This could guide department-specific training.
  7. Training Attendance and Completion Rates - Low attendance or completion could indicate that the training is too cumbersome or not engaging enough.
  8. Quantitative Surveys and Costs - Use closed-ended surveys for quick, quantifiable feedback. Also, calculate the per-participant cost of developing and delivering the program for ROI assessment.
  9. Privacy and Technical Metrics - Track the frequency and type of privacy or cybersecurity events to identify the need for role-based training. Changes following technical training—like a reduction in accounts with privileged access—can also be invaluable metrics.

The Qualitative Dimension

While quantitative metrics provide the hard facts, it's the qualitative data that enriches our understanding by adding context, nuance, and depth to these numbers. Qualitative feedback captures the human elements that are often overlooked in cybersecurity initiatives. From capturing employees' responses about the program's delivery and content to conducting focus groups for in-depth insights, qualitative data allows us to gauge the intangibles that make or break a learning program. In this section, we will delve into various types of qualitative feedback, including presenter evaluations, open-ended surveys, and even observations from the training sessions, to provide a more holistic assessment of your cybersecurity education efforts.

  1. Presenter and Program Feedback - Encourage employees to share feedback on trainers and program content to make real-time improvements.
  2. Open-Ended Surveys and Reports - Use these to gather nuanced opinions. Maybe the training material is excellent, but the pace is too fast?
  3. Focus Groups and Observations - Conduct these with a cross-section of employees to get richer insights into the learning experience, identifying areas for improvement.
  4. Suggestion Box - A suggestion box allows employees to provide candid feedback and innovative ideas for program improvement.

A Marriage of Metrics and Mindsets 

Combining quantitative data with qualitative insights will not only paint a comprehensive picture of your program's effectiveness but will also guide data-informed decisions for future improvements. For instance, if your quantitative data indicates high knowledge retention but qualitative feedback points to low engagement, you may need to inject more interactive elements into your program. Because when it comes to cybersecurity, an empowered workforce is your best line of defense. 

And if you haven't already, check out NIST Special Publication 800-50 and look for the upcoming Rev. 1. This is a comprehensive guideline that serves as an invaluable resource for information security education, training, and awareness. Thank you to NIST and the industry authors and contributors for your tireless work in advancing the field and providing a foundational resource for cybersecurity professionals everywhere.