Do user awareness campaigns lower IT security risks?
In an era of IT consumerization, user behavior influences both information protection and information loss — as shown by data showing that user error was involved in 62 percent of incidents where information has been compromised.
Although organizations seek to address this risk by investing in awareness campaigns, these same organizations are often challenged to assess the effectiveness of such measures.
Data from the Corporate Executive Board shows that although 61 percent of organizations track user completion of training as the primary measure of success, only 7 percent say there is a demonstrable link between training and sustained behavior improvement.
Rather than focusing on user training completion, the most effective awareness campaigns should be built around an understanding of user behavior, targeting the riskiest users and their reasons for noncompliance as well as tracking metrics to ensure employee compliance with security policies.
A survey by the CEB’s Information Risk Executive Council showed that the primary metrics for measuring the success of user awareness campaign included the percentage of users completing training; year-over-year reduction in specific types of information caused by user error; and user understanding of security as evidenced by surveys.
A self-diagnostic quiz on the effectiveness of user awareness campaigns can be found below.