网络安全培训项目并不便宜. Organizations worldwide invest significant amounts of money in cybersecurity training every year.1 使这种资源分配有价值, enterprises must ensure that their cybertraining programs offer a sufficient return on investment (ROI).
There is also a need to continuously evaluate cybersecurity training programs to ensure that the cost-benefit analysis is fully actualized. The ROI of a cybersecurity program is generally challenging to measure accurately due to the lack of a standard framework for doing so.
There is much to be gained by exploring various approaches to ensuring benefits realization for any cybersecurity training program. Effective, data-driven management decisions regarding security training are key.
设定培训目标
在实施网络安全培训计划之前, an organization must clearly define the objectives of the proposed training program. The set objectives should be related to overall organizational goals and describe the gap that is expected to be addressed by the training program. For example, some training programs are created to develop essential cybersecurity awareness, while others are tailored to address how to increase incident response capacity. In any case, precise definition of objectives helps generate ideas about how to best measure and develop metrics to meet goals.
确定员工能力的基线
培训目标确定后, it is critical to develop baseline data to eventually realize the benefits of security training. The baseline data should highlight the proposed training participants’ current capabilities, including their levels of skills and knowledge of the selected domain. This is valuable for documentation purposes and provides a reference point against which training outcomes can later be benchmarked. It is essential for organizations to comply with any applicable regional data protection laws while collecting employee data.
培训目标确定后, it is critical to develop baseline data to eventually realize the benefits of security training.
将培训目标与交付方法联系起来
在目标培训计划的设计和实施过程中, the program's objectives must be continuously mapped to the training delivery method (e.g.,头脑风暴会议,讲座,模拟/角色扮演). This ensures consistency and relevance of the training in relation to the organization-identified gaps. Additionally, 培训计划实施前, 这可能有助于评估培训师的素质. The best trainers may not be those who are the most qualified on paper. Rather, the most effective trainers need only have the proper knowledge and the best delivery method.
培训后项目评估
培训项目结束后, it is essential to develop post-assessment metrics to measure the benefits realized. This assessment can be performed using a mixed method of data collection, that is, 一个定性和定量的方法. Qualitative data supplements quantitative data by providing insights into subjects’ lived experiences. The outputs to be measured are the skills, knowledge and behaviors of the training participants. The results of the post-assessment training can be cross-referenced to the initial baseline data collected before the commencement of the training. The organization can use this information to gauge and assess the benefits realized from the training. For example, 在事件响应训练的情况下, the organization can measure how a team responds to an incident and the quality of the response on the axis of the time it took the team to respond to the call.
因为成本是任何培训的关键因素, it is essential to justify the money spent on a training program by demonstrating the benefits attained. 最终目标是建立一个强大的网络安全态势. To achieve this, it is vital to measure employees’ knowledge and productivity levels. 如果,随着时间的推移,员工可以创造更多的价值(e.g., 通过更快地解决网络事故), it is a good indicator that the investment made in training has attained the desired benefits.
持续评估质量
持续改进是实现效益的一个重要方面. Organizations are expected to continuously evaluate the quality of the training programs they choose, 是否内部, 在线或在其他位置. 通过持续评估, new gaps can emerge which must be promptly addressed to ensure that the realized knowledge, 技能和行为保持一致.
Conclusion
通过调整培训目标, 建立度量标准并跟踪预期的效益实现, organizations can rest assured that their training programs are of great value and help meet their overall goals of having sufficient cybersecurity posture and cyberresilience. A data-driven approach helps ensure that continuous investment in cybersecurity training is worthwhile.
Endnotes
1 Morgan, S.; “Security Awareness Training Market to Hit $10 Billion Annually By 2027,” 网络犯罪的杂志, 2023年4月17日
Sadiq Nasir
Is a thought leader in the field of information and communication technology (ICT). 他是NetSwitch Limited的管理合伙人, a role dedicated to helping actualize the company’s mission and vision. Nasir is also a researcher of academic information systems at the American University of Nigeria (Yola, Nigeria). He is at the forefront of cutting-edge research and innovation on the ICT landscape and has published several academic conference papers, 书籍章节和选项文章. Nasir actively promotes organizational cybersecurity and cybersecurity culture and offers his voice to the Cybersecurity Experts Association of Nigeria (CSEAN). He has served on several committees at the federal legislature and executive levels, providing thought leadership related to policy documentation formulation and implementation in the digital economy.