Image: iStock/NicoElNino

Most cybersecurity training teaches users to spot phishing emails or explains how to report suspicious activity. Security company Infosec is taking a different approach by measuring a company’s security culture. This user assessment aims to understand employee attitudes about security and their comfort level in contacting the security team.

Jack Koziol, Infosec CEO and founder, said a company’s cybersecurity culture offers unique insight into the effectiveness of security awareness training.

“However, it is also an extremely challenging metric to quantify and track over time,” he said.

SEE: Identity theft protection policy (TechRepublic Premium)

The Infosec IQ Cybersecurity Culture Survey measures the impact of training beyond measurements like phishing click rates and training completion, Koziol said.

The survey is short—18 questions—and is not a quiz about cybersecurity best practices. It’s more of an attitude check to determine how relevant an employee finds security training and how important cybersecurity is to the company overall.

The Infosec IQ Cybersecurity Culture Survey measures these five sentiments:

  • Confidence: How employees classify their own ability to put their cybersecurity knowledge to practical use
  • Responsibility: How employees perceive their role in cybersecurity
  • Engagement: How willingly employees participate in security awareness and training programs and use resources to improve security behaviors
  • Trust: How employees perceive the security posture and processes at their organization
  • Outcomes: How employees perceive the consequences of a security incident at their company

The tool generates a score for each domain and offers suggestions for improving each score and strengthening cybersecurity culture overall. If a confidence score is low, the tool recommends offering situational, hands-on training or personalizing automated phish reporting responses to thank employees for a job well done. If trust is low, the tool suggests making time to talk about current cybersecurity events in the news and share lessons learned or takeaways.

According to Infosec, managers can conduct the survey as needed and use the results to guide changes to cybersecurity policies, practices or training strategies. The survey requires at least 10 results to display aggregated, anonymized results. Security teams can track change over time as well.

Infosec also has a “choose your own adventure” style security awareness game designed to boost the security culture at a company.

Tyler Schultz, product marketing manager at Infosec, said that cybersecurity teams need more resources and funding to stand up a truly comprehensive cybersecurity strategy.

“It can be really hard for these teams to get the buy-in and support from leadership, until a serious breach occurs and it becomes obvious to everyone,” he said.

A recent report on managing security in Microsoft 365 recommends that leaders make security a team effort. Instead of trying to control all user activity, security leaders should give people more freedom to manage Microsoft 365 features combined with clear data governance guidance. The report authors said this balance will allow people to get work done without compromising security.