Cybersecurity training programs do not come cheap. Organizations worldwide invest significant amounts of money in cybersecurity training every year.1 To make this allocation of resources worthwhile, enterprises must ensure that their cybertraining programs offer a sufficient return on investment (ROI).
There is also a need to continuously evaluate cybersecurity training programs to ensure that the cost-benefit analysis is fully actualized. The ROI of a cybersecurity program is generally challenging to measure accurately due to the lack of a standard framework for doing so.
There is much to be gained by exploring various approaches to ensuring benefits realization for any cybersecurity training program. Effective, data-driven management decisions regarding security training are key.
Setting Objectives for Training
Before implementing a cybersecurity training program, an organization must clearly define the objectives of the proposed training program. The set objectives should be related to overall organizational goals and describe the gap that is expected to be addressed by the training program. For example, some training programs are created to develop essential cybersecurity awareness, while others are tailored to address how to increase incident response capacity. In any case, precise definition of objectives helps generate ideas about how to best measure and develop metrics to meet goals.
Determining a Baseline for Employee Capabilities
After training objectives have been set, it is critical to develop baseline data to eventually realize the benefits of security training. The baseline data should highlight the proposed training participants’ current capabilities, including their levels of skills and knowledge of the selected domain. This is valuable for documentation purposes and provides a reference point against which training outcomes can later be benchmarked. It is essential for organizations to comply with any applicable regional data protection laws while collecting employee data.
After training objectives have been set, it is critical to develop baseline data to eventually realize the benefits of security training.
Connecting Training Objectives With the Delivery Method
During the design and implementation of the target training program, the program's objectives must be continuously mapped to the training delivery method (e.g., brainstorming session, lecture, simulation/roleplay). This ensures consistency and relevance of the training in relation to the organization-identified gaps. Additionally, before the implementation of the training program, it may be helpful to evaluate the quality of the trainer. The best trainers may not be those who are the most qualified on paper. Rather, the most effective trainers need only have the proper knowledge and the best delivery method.
Evaluating the Program Post-Training
When the training program has concluded, it is essential to develop post-assessment metrics to measure the benefits realized. This assessment can be performed using a mixed method of data collection, that is, a qualitative and quantitative approach. Qualitative data supplements quantitative data by providing insights into subjects’ lived experiences. The outputs to be measured are the skills, knowledge and behaviors of the training participants. The results of the post-assessment training can be cross-referenced to the initial baseline data collected before the commencement of the training. The organization can use this information to gauge and assess the benefits realized from the training. For example, in the case of incident response training, the organization can measure how a team responds to an incident and the quality of the response on the axis of the time it took the team to respond to the call.
Because cost is a critical factor of any training, it is essential to justify the money spent on a training program by demonstrating the benefits attained. The ultimate aim is to develop a robust cybersecurity posture. To achieve this, it is vital to measure employees’ knowledge and productivity levels. If, over time, employees can generate more value (e.g., by achieving faster resolution of cyberincidents), it is a good indicator that the investment made in training has attained the desired benefits.
Continuously Assessing Quality
Continuous improvement is an essential aspect of benefit realization. Organizations are expected to continuously evaluate the quality of the training programs they choose, whether in-house, online or in an alternate location. Through continuous evaluation, new gaps can emerge which must be promptly addressed to ensure that the realized knowledge, skills and behaviors remain consistent.
Conclusion
By aligning training objectives, establishing metrics and tracking the intended benefit realization, organizations can rest assured that their training programs are of great value and help meet their overall goals of having sufficient cybersecurity posture and cyberresilience. A data-driven approach helps ensure that continuous investment in cybersecurity training is worthwhile.
Endnotes
1 Morgan, S.; “Security Awareness Training Market to Hit $10 Billion Annually By 2027,” Cybercrime Magazine, 17 April 2023
Sadiq Nasir
Is a thought leader in the field of information and communication technology (ICT). He is the managing partner of NetSwitch Limited, a role dedicated to helping actualize the company’s mission and vision. Nasir is also a researcher of academic information systems at the American University of Nigeria (Yola, Nigeria). He is at the forefront of cutting-edge research and innovation on the ICT landscape and has published several academic conference papers, book chapters and option articles. Nasir actively promotes organizational cybersecurity and cybersecurity culture and offers his voice to the Cybersecurity Experts Association of Nigeria (CSEAN). He has served on several committees at the federal legislature and executive levels, providing thought leadership related to policy documentation formulation and implementation in the digital economy.