Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Measuring the Success of your Security Awareness Program

Security Awareness Program

about the author

Share this post

There is little point in doing anything in life unless you know it is worthwhile and what you are doing is going to work. This thinking applies to many aspects of a business including a security awareness program.

When a company sets in place a security awareness program, they should always have in mind what it is they are trying to achieve. With a 2021 Verizon report stressing that the “human element” is behind 85% of data breaches, a focus on creating good security behaviour should be paramount.

But how exactly can you measure a seemingly nebulous element such as behaviour?

Establish a Baseline for a Great Security Awareness Program?

To measure something, you need a starting point, a baseline. A security awareness program is designed to change the behaviour and attitude of employees to improve overall security in a company.

A set of clearly defined objectives is this essential starting point that you can use to build upon when testing the success of your security awareness program. These objectives will form the foundation of your security awareness program metrics using a ‘train and test’ methodology.

When developing a security awareness program, it’s best practice to keep in mind how the success of each area of the program can be measured. In this way, you can build testable elements into the program. Typical parts of a holistic security awareness program should include:

  1. Security hygiene: covers various elements such as password choices and web browsing habits
  2. Social engineering: what is social engineering and the types of scams affecting an organisation and its employees
  3. Phishing awareness: training employees in how to spot phishing tactics
  4. Computer security habits: including how to spot if a computer may be infected and the use of security-enhancing measures such as a VPN for remote working

Each of these aspects of a security awareness program can be measured, and the results are then used to provide feedback to optimise the success of the program.

The Measure of Success (or not) of a Security Awareness Program?

Measuring the results of a security awareness program is not a pass/fail exercise. Instead, it offers an insight into the effectiveness of the different strands of Security Awareness Training.

The results can be used to feedback into the various parts of the security program to optimise the training; if something isn’t working, metrics and feedback will give an indicator of this, some metrics can even identify weaknesses in specific training events. This information can then be used to more closely tailor awareness education.

Areas that can be used to capture data on the metrics of security training include:

Awareness Surveys and Employee Feedback

Awareness surveys are questionnaires that employees complete to give an insight into the effectiveness of awareness training. Whilst this method is manual, it can be a useful part of a portfolio of measurement exercises to establish the success of your security awareness program. Questionnaires are often handled by HR or a security consultant, and typically include questions or quizzes that test an employee’s ability to spot a threat.

Phishing Simulations and Metrics

Phishing simulations are performed using automated platforms that send out test phishing emails to employees. The simulation platform will record if the employee successfully spots that the test message is a phishing message, or not. Phishing simulation platforms, and advice on their use, along with the metrics they provide, are available through specialist third parties such as MetaCompliance.

Social Engineering and Metrics

How employees respond to scams is an important aspect of security awareness. Scams such as Business Email Compromise (BEC) are often sophisticated and use social engineering as the basis of the scam.

An employee’s reaction to a simulated social engineering event can be measured both quantitatively and qualitatively, depending on how the simulations are carried out. Third-party companies can advise in creating simulated social engineering tests that are amenable to measurement.

Incident Capture and Reporting

The proof is in the pudding, and that pudding takes the form of security incident reporting by employees. A security incident reporting system that allows employees to easily input security events can offer a way to measure the effectiveness of a security awareness program.

Incident reporting has dual benefits, acting as a triage and response system for security issues as they arise, and logging and auditing the awareness of staff. Employees should be trained to use the incident reporting system to record security events, such as:

  • Receipt of a phishing message
  • Accidental exposure of a password
  • Suspected malware infection
  • Accidental exposure of information via email misdelivery
  • Lost or stolen devices
  • Social engineering attempts, e.g., a phone scam

Measure, Listen, Optimise

Security awareness programs are renowned for being difficult to measure. The measurement of behaviour and understanding is often qualitative rather than just quantitative. However, by using a combination of factors that capture indicators of behavioural change and awareness, a business can ensure that its program is effective.

Ultimately, an organisation needs an effective security awareness program to result in reduced cyber attacks and better overall company cyber-safety. As employees continue to understand how cyber security threats work, optimising the effectiveness of a security awareness program will result in a culture of security that pays off with better security.

Measuring the Success of your Security Awareness Program

Other Articles on Cyber Security Awareness Training You Might Find Interesting