Security Behavior and Culture Metrics: Elevating Awareness and Action
Learn how to measure and enhance your organization's security behavior and culture metrics. Explore strategies to foster awareness, improve decision-making, and create a robust cybersecurity-first mindset across your workforce.
2024-12-07
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Effective cybersecurity programs thrive on the ability to drive real behavior change and establish a robust security-conscious culture. Using a storytelling approach, metrics become the protagonists of this narrative, offering pivotal insights that reveal progress, expose vulnerabilities, and inspire actionable improvements. Each metric is a chapter in a larger tale—a tale that aligns security efforts with tangible outcomes.
By weaving these data points into a cohesive narrative, organizations can engage stakeholders with stories of success, showcasing reduced risks, fortified defenses, and a stronger security posture. These metrics ensure that every plot point contributes meaningfully to a compelling and results-driven cybersecurity journey.
Suggested by Gartner and implemented by Keepnet, the Security Behavior and Culture metrics provide actionable insights that help organizations measure progress, refine strategies, and align security initiatives with their broader objectives.
SBCP Metrics Catalog
Metrics form the foundation of an effective Security Behavior and Culture Program (SBCP). Below is a catalog of key metrics categorized to offer insights into behavior, culture, strategic alignment, compliance, and ambassador programs:
| Metric Category | Description |
|---|---|
| Impact Metrics – Behaviors | These metrics measure the impact of our security education training. Specifically, is the security education program changing people's behaviors? |
| Impact Metrics – Culture | These metrics evaluate changes in the organization’s overall mindset and attitudes towards security. Specifically, are they changing people's attitudes, beliefs, and norms concerning security? |
| Impact Metrics – Strategic Alignment | These metrics measure how well the security education supports the company’s main security goals and, ultimately, the mission of our organization. These are the types of metrics senior leadership are more likely to be interested in. |
| Compliance Metrics | These metrics measure what our awareness program is doing, specifically who you are training and how. These metrics are most valuable for compliance and auditing purposes. |
| Ambassador Program Metrics | These metrics measure the activity and impact of a security ambassador program. |
Table 1: SBCP Metrics
Tracking these metrics offers a multi-faceted view of a program’s effectiveness, as suggested by Gartner and implemented by Keepnet. This collaboration enables organizations to tailor security programs that drive behavior change, strengthen cultural adoption, and align with strategic business goals, ensuring measurable business outcomes.
Behavior-Centric Metrics
Behavior-centric indicators focus on measuring specific actions and outcomes related to employee security behaviors. These metrics help identify areas of risk, highlight successful training outcomes, and track progress in fostering a culture of proactive security engagement. Below is a table of detailed behavior-centric indicators:
| Metric | What is Measured? |
|---|---|
| Phishing simulation susceptibility rate | Number of people who fall victim to a phishing simulation. The definition of falling victim is clicking on the link or opening an attachment. |
| Phishing simulation report rate | Number of people who detect and report a phishing email (regardless of whether it's an assessment or real attack). |
| Phishing simulation repeat offenders | Number of workforce members that fall victim to phishing simulations (2 times and 3 times consecutively). These individuals are not changing behavior and represent a high risk. |
| Benign phishing reported | Number of emails reported as phishing that were deemed benign by the Security Operations Team. |
| Malicious phishing reported | Number of emails reported as phishing that were deemed malicious by the Security Operations Team. |
| Phishing reporting (Thank you email) | Number of unique people who were sent a personal 'Thank you' email for reporting an actual malicious email. |
| Nonphishing Indicators – Compromised credentials | Number of times compromised credentials were reported to the Security Operations team. |
| Nonphishing Indicators – Breaches of confidential information | Number of times breaches of confidential information were reported to or identified by the Security Operations team. |
| Nonphishing Indicators – Cybersecurity event reporting | Number of security events reported by employees (excluding suspicious emails). This measures awareness of security events and reporting behavior linked to the Security Behavior and Culture Program. |
| Nonphishing Indicators – Lost/Stolen devices | Number of devices (laptops, phones) that were lost or stolen. |
| Nonphishing Indicators – Password manager or MFA adoption rate | Number of unique people who have enabled MFA and/or are using a password manager. |
Table 2: Behavior-Centric Metrics
These indicators are instrumental in identifying risky behaviors and measuring the impact of security awareness programs. Suggested by Gartner and implemented by Keepnet, these metrics ensure that organizations gain actionable insights into employee engagement and security posture.
Culture Metrics
Culture metrics provide insight into the organization’s shared attitudes, beliefs, and perceptions towards cybersecurity. These metrics evaluate how well security culture initiatives are resonating with employees and driving the adoption of secure practices. Below is a detailed table of culture metrics:
| Metric | What is Measured? |
|---|---|
| Culture survey | The organization’s shared attitudes, beliefs, and perceptions concerning cybersecurity. |
| Focus groups | The organization’s shared attitudes, beliefs, and perceptions concerning cybersecurity as discussed in group settings. |
| Business engagement requests | Number of requests the security awareness team gets to conduct security briefings for other business units or teams (e.g., 'Awareness as a Service' sessions). |
Table 3: Culture Metrics
These metrics are vital for understanding how deeply cybersecurity values are embedded in the organization’s culture and for identifying opportunities to further integrate secure practices into everyday workflows.
Strategic Alignment Metrics
Strategic alignment metrics measure how well security initiatives support the company’s broader goals and overall mission. These metrics focus on minimizing incidents, reducing costs, and ensuring alignment with organizational objectives. Below is a table of detailed strategic alignment metrics:
| Metric | What is Measured? |
|---|---|
| Policy violations | Number of times breaches of Information Security policies are reported. |
| Data loss events | Number of times there is a data loss event, either accidental or due to a deliberate attack. |
| Infected computers | Number of infected computers. |
| Misconfigured systems | Number of security events caused by misconfigured systems or applications. |
| CASB alerts | Number of unsanctioned cloud service uploads. |
| Number of incidents | The overall number of incidents, such as infected devices due to phishing or account takeovers from weak passwords. |
| Costs of incidents | By reducing the number of incidents and the dwell time of successful attackers, overall costs can be minimized. |
Table 4: Strategic Alignment Metrics
These metrics provide a clear connection between security behaviors and organizational outcomes, allowing leaders to assess the tangible benefits of security programs and adjust strategies to optimize performance.
Compliance Metrics
Compliance metrics focus on ensuring that security awareness programs meet organizational and regulatory standards. These metrics also track participation and completion rates to assess whether employees are effectively engaging with required training and campaigns. Below is a detailed table of compliance metrics:
| Metric | What is Measured? |
|---|---|
| Security awareness as a service | The number of employees trained in the targeted awareness-as-a-service webinar training sessions. |
| Keepnet training modules | The number of Keepnet training campaigns assigned / Completion Rate % (does not include mandatory training). |
| Security awareness campaigns | Individual awareness campaign metrics (Effectiveness, Engagement level, Quiz Results, etc.). |
| Training completion (annual mandatory) | The number (and %) of employees who have completed annual security awareness training. |
Table 5: Compliance Metrics
Ambassador Program Metrics
Ambassador program metrics measure the activity and effectiveness of internal security champions in promoting security awareness initiatives. These metrics focus on the engagement, training, and real-world impact of ambassadors within the organization. Below is a detailed table of ambassador program metrics:
| Metric | What is Measured? |
|---|---|
| Number of ambassadors | Number of active ambassadors promoting the security awareness program. |
| Ambassadors channel | Number of posts (i.e., threads) on ambassadors’ channel. |
| Ambassadors meeting attendance | Number of ambassadors who attend monthly meetings. |
| Ambassadors training | % of champions who completed training (e.g., Bronze, Silver, and Gold levels). |
| Ambassadors phishing simulation susceptibility rate | Number of people who fall victim to a phishing simulation. The definition of falling victim is clicking on the link or opening an attachment. |
| Ambassadors phishing simulation reporting | Number of people who detect and report a phishing simulation. |
| Success stories | Real-world stories on how workforce identified and/or stopped a real attack. |
| Ambassadors' attitudes, beliefs, and behaviors | Ambassadors' attitudes, beliefs, and certain behaviors as captured from focus groups. |
Table 6: Ambassador Program Metrics
These metrics offer a valuable perspective on how ambassador programs drive peer-led engagement and foster a security-first mindset across the organization. By measuring both the activities and outcomes of ambassadors, organizations can fine-tune their programs and amplify their cultural impact.
Security Behavior & Culture Dashboard
The Security Behavior & Culture Dashboard provides a snapshot of key metrics to visually communicate the program’s progress and outcomes. This dashboard is designed to resonate with executives by focusing on high-level outcomes and actionable insights.
| Dashboard Component | Metric/Target | Status |
|---|---|---|
| Behavior Metrics | % Click Rate (Target: <5%) | 3.5% |
| Behavior Metrics | % Reporting Rate (Target: 40%) | 45% |
| Culture Metrics | Voluntary Training Participation (40%) | 38% |
| Culture Metrics | Consistent Program Engagement | Achieved |
| Strategic Outcomes | Incident Reduction (Target: 50%) | 48% |
| Strategic Outcomes | Compliance with Security Policies | On Track |
| Business Impact | Cost Avoidance (Target: $75,000) | $78,000 |
Table 7: Security Behavior & Culture Dashboard
Example Dashboard Explanation: The dashboard emphasizes measurable results such as incident reduction, participation rates, and cost avoidance, reflecting the alignment of security behaviors with organizational goals.
Phishing Susceptibility: A Behavior Change Story
The "Phishing Susceptibility: A Behavior Change Story," illustrates the tangible outcomes of targeted SBCP initiatives, such as click rates and reporting rates from phishing simulations, over time. It highlights pivotal moments like the onboarding of new hires and IT policy updates, demonstrating their impact on behavior and culture.
At the start of the year, the organization faced a significant challenge with phishing susceptibility. In January, the click rate on phishing emails stood at a concerning 35%, while the reporting rate was only around 10%. Additionally, the rate of repeat clickers hovered close to the 10% threshold.
Recognizing the need for intervention, the organization implemented a series of targeted measures:
New Hires Onboarding Program (April-June):
- During this period, an influx of new employees slightly disrupted the downward trend in click rates. This spike underscored the need for effective onboarding and tailored phishing simulations for new hires.
- Despite this, the reporting rate began to improve, showcasing early signs of awareness and proactive behavior among employees.
IT Policy Update (October):
A pivotal moment in the year, the introduction of updated IT policies, including stricter controls and enhanced security training, marked a dramatic shift. Following the update:
- The click rate dropped sharply to below 10%, surpassing the organization’s target of 5% for click-through rates.
- The reporting rate surged to over 40%, meeting the performance level agreement (PLA) for simulation reporting rates.
- Repeat clicker rates also declined steadily, moving closer to the 5% goal.
Impact on Cybersecurity and Business Benefits:
- Cybersecurity Benefits: The organization achieved a 50% reduction in phishing incidents, significantly mitigating potential risks to sensitive data and operational integrity.
- Business Benefits: A 40% reduction in avoidable phishing incident remediation costs translated to savings of approximately $75,000.
By the end of the year, the data showcased a profound transformation in employee behavior and organizational resilience against phishing threats. This success was a testament to the effectiveness of tailored awaneess training programs, strategic policy updates, and continuous improvement in security practices.
Creating Outcome-Driven Executive Reports With Keepnet
Keepnet Human Risk Management Platform enables organizations to create data-driven executive reports that tell compelling stories. By leveraging outcome-driven metrics, organizations can demonstrate:
- Progress in reducing employee-driven cybersecurity risks.
- Return on investment in security behavior and culture programs.
- Alignment of security initiatives with business objectives and risk posture.
These reports focus on what matters most to executives—outcomes and their business implications—ensuring buy-in and continued support for security programs.
SHARE ON