Can employee awareness campaigns be measured to ensure efficiency?

By Sushmil Milind Garde, Cyber Security Evangelist and Training Officer, Tesseract Consulting Pvt Ltd

Cyber Aware Behaviour must be the ultimate goal of an awareness campaign. It’s a continuous process that keeps employees a step ahead of the problems.

The Problem:

Behaviour matters, awareness doesn’t! All the industries must conduct Cyber Security Awareness Program under the compliance regulations.

The problem lies right there! Even today, when IT has become a major pillar of any successful business, companies carry out the awareness campaigns only because it comes as a mandatory regulation under compliances.

Therefore, I think most of them are not effective. Creating an interactive software or presentation to showcase the importance of cyber safety is not good enough. Also, creating a questionnaire at the end of every small topic (about 5-10 slides) never measures the efficiency of the program.

How many of us have lost track of a module because the slides were too passive and gave a very static information on cyber security; yet at the end of the session could tick all correct answers?


I believe that no machine can replace Humans. Humans like to interact with other Humans (especially the ones from non-IT background). My recommendation to improve the effectiveness of the training is to conduct the training in person. The sessions must include recent incidents from the cyber world and reasons behind them. Everyone likes to know the thrills happening around IT and that catches their attention. The session becomes more interactive and most importantly questions start coming from the audience.

This is impossible when the awareness training is conducted by a software. Employees get answers to the problems they faced or are facing currently and that is the first success of your campaign. In a weeks’ time, changes can be seen in employee’s cyber behaviour.

The Session must be based on the recent trends and future speculations. Awareness is a preventive measure and hence should stay one step ahead of the actual problem- the attack. Also, if the campaign is for non-IT staff then including many technical jargon might be too harsh on the audience.

Delivering a very interesting session is just a beginning but it’s not the measure of your effectiveness. As I said before, behaviour matters! Behaviour is the most important measure of the effectiveness of your awareness campaign. Testing the cyber behaviour of employees in real, every day situation can be the only measure of efficiency.

Send them emails from a different (similar looking) domain with attachment or a link and see if they interact with the email (Email tracking tools are available). If they do click on the link or try to download the file, then redirect them to an informative page that will show them their mistake.

This will give them an experience of a phishing or spear phishing attacks without any damage and will raise carefulness for next time. Drop a couple of Pen Drives near employee desks and may be near the elevator that contains a program to display a warning on the screen, has it been inserted in a computer. Try more such innovative ways in which employees get the experience of real threats. In just few weeks, positive results can be seen and the graph of mistakes made by employees will certainly go down.

Efficiency of an awareness campaign can be judged on 2 things. One is during the session when employees ask questions about their issues or experiences. This measure the effectiveness of the speaker that has kept the audience gathered and interested. This also shows the current level of awareness among employees. The second thing that is a measure of efficient awareness campaign is the behavioural changes that occurred after the session. The best way to track these changes is through the innovative methods mentioned above.

The awareness campaign must not be an annual activity; it is at its best when done quarterly. I think, it is every employee’s responsibility to keep the office network secured from the threats and for that everyone can spend one hour in three months knowing how to do it.