Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?
Sort By:
Oldest
VP of Engineering2 months ago
To truly test your organizations security training effectiveness, you need to routinely test using simulated attacks. Some of the vendors already have phishing campaign management capabilities. We target the phish prone uses with more frequent training as well as management involvement for frequent offenders.CISO in Banking2 months ago
Yes, we do have a process for gathering feedback on cyber security training. We work closely with our training and development department to conduct quarterly cyber security training modules for all of our employees. I personally provide a brief introduction to our new employee orientation training every month. One way we gather feedback is by offering employees the chance to provide feedback to the training department on the content after every module. This could be about any technical issues or questions they have on the content.We also monitor weekly phishing reports by employees. We have a report phishing button, and when an employee reports a phishing email as suspicious, we analyze it. If we determine it is malicious, we take appropriate actions to not only remove it from other people's inbox who may not have seen it yet, but also to block whatever it is that the phishing email was trying to do. We keep track of these statistics and report them to our regulators. This helps us gauge how effective our training is.
Associate Vice President, Information Technology & CISO in Education2 months ago
We also use a similar process. We work with our learning and development team to provide mandatory cyber training for new employees. They can provide feedback and can also email us. We do receive unsolicited feedback on our phishing campaigns, which we take into consideration. For example, we conduct campaigns around tax time or Amazon Prime Day and we do receive feedback on these.CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 months ago
I agree with the points made by Steve and John. However, it's important to remember that with feedback for security awareness, it's difficult to know exactly what came in or how many came in. So, while we might say, for instance, that we received 10 reports, so our awareness security is working, it could be that we got 10 fewer emails. Therefore, it's important to be open to the fact that the reason your numbers went up or down may not necessarily be due to what you did. It could be due to an external factor.