How do we measure changes in behaviour?

security awareness training

So I left the last blog with the introduction to this one regarding the measurement of the changes and impacts that are driven through the use of laughter within your awareness campaigns.

Firstly I am not trained in the area of behavioural change and secondly this is my simple view and approach to putting out in the ether my thoughts on this gained from my own experiences in life and the odd bit of reading too (yes I can read, well Audible mostly helps!).

Most metrics driven in the awareness space, are in some form of quiz at the end of a module/presentation or competitive outcome when using gamification.  This is all well and good, but does it actually show anything more than how good our memories are for retaining recently imparted information and how competitive some individuals are within our teams when we put them in certain situations?

Do any of these metrics handle the tricky concept of measuring behaviours?

There is a common misconception that new habits take 21 days to form.  This, when you dig into it is based on conjecture of one Doctor in the 1950’s and then seemed to become urban myth afterwards as it suited the new age self help revolution.  If you dig deeper, there are other more in depth studies each with varying degrees of outcomes but most centre on the average of 66-90 days to form a new habit or behaviour and in reality the results of these studies showed a cross section of results that were anywhere from 2 to 18 months.

So that’s for individuals, what about cultures within companies?  Here’s were it gets even more greyer than my hair and beard.  This is being measured in years with the consensus lying somewhere between 2-8 years.

If we then try the tricky conundrum of how do we actually measure this change over time, what are we left with? Questionnaires, quizzes, external auditing, behavioural profiling approaches and more? Do we ever talk to each other nowadays on a simple 1-2-1 basis?

I think what we are forgetting in this measurement is the actual initial exam question, which is really how more aware of the risks of doing business online are our users?

Do we then invest in some form of phishing simulation tool to detect how much more or less links are clicked to derive an answer (if that’s our focus for example)?

There’s a problem with this approach in my mind and it is something that has never sat well with me, if we “test” our users with negative forms of testing such as “tricking” them with bogus phishing links are we doing them a disservice? Do we then paralyse them with fear each time a new link is served up to them?

Should we therefore concentrate on reinforcing the narrative of awareness with consistency of message rather than tricks and tools that actually will probably tell us what we all know – “we are all one click away from notoriety”.

The issue with this form of metric is that links are there to be clicked on, for most millennials and Gen Z’ers this is all they know.  So now expecting people to know the difference between good and bad links is a zero sum game.  And because we are all fallible at some point we are bound to click on an unsafe link so this measurement actually means nothing.

So what’s the answer then Ian?

For me it is consistency of messaging and engaging your teams in emotional content that resonates for them, and is  delivered how and when they want it.

Showing them compassion when they err is also key, offering several ways for them to learn, not just by talking at them, but giving them engaging content that allows them to watch or read over and over again to spot something new.

Having an awareness month, or a presentation once a year and calling this training is not going to change anything. But is it solely down the individual to want this or expect it, or are they wandering blindly in the online stratosphere without the help and guidance they so richly deserve? This is something that I think lies in the leaders domain, so maybe that is for another post on what should we expect from our leaders in Cyber when it comes to actually having not only the businesses but our best interests at heart? More on that to come ….

Related Articles


Your email address will not be published.