The effectiveness of cybersecurity awareness activities is evaluated periodically and according to defined triggers, such as system changes and external events, and improvements are made as appropriate
Context and Guidance: The organisation should have a documented process to evaluate the effectiveness of awareness activities. Typically, assessing effectiveness is done by having employees fill out evaluations after awareness activities. It’s more challenging to evaluate the effectiveness of other awareness mechanisms such as posters or regular communications. These are examples of methods that can be used to evaluate the effectiveness of awareness activities: • questionnaires or surveys designed to measure people’s awareness of specific topics • focus groups to elicit the level of awareness of a group of people after an awareness activity and to gather improvement recommendations • selective interviews to inquire about awareness and any changes in behavior that may have occurred as a result of awareness activities • behavioral measures to objectively evaluate shifts in behavior after an awareness activity—for example, evaluating the strength of passwords before and after a password-awareness activity • observations, evaluations, and benchmarking activities conducted by external entities
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-2a, WORKFORCE-2b, WORKFORCE-2c, WORKFORCE-2d, WORKFORCE-2e, WORKFORCE-2f, WORKFORCE-2g.