Subscribe
7 min read

From Vanity Metrics to Real Impact: Validated Learning in Cybersecurity Training for SMEs

From Vanity Metrics to Real Impact: Validated Learning in Cybersecurity Training for SMEs
Photo by Adam Watson / Unsplash

Introduction

As cyber threats grow increasingly sophisticated, businesses are more aware than ever of the need for robust cybersecurity. One of the most effective ways to protect an organisation is through cybersecurity training, educating employees about the risks they face and how they can contribute to the company’s overall security posture.

However, when it comes to measuring the success of cybersecurity training, many businesses fall into the trap of relying on vanity metrics, numbers that look good on the surface but fail to provide meaningful insights into the effectiveness of the training. These might include the number of employees trained, quiz scores, or training completion rates. While these metrics can show that training has taken place, they don’t tell us whether the employees are actually prepared to handle real-world cybersecurity threats.

In this blog post, we will explore the difference between vanity metrics and real impact metrics in the context of cybersecurity training. By focusing on the metrics that truly measure employee behaviour, knowledge retention, and organisational security, businesses can ensure that their cybersecurity training is not only effective but also aligned with long-term security goals. Let’s challenge the notion that numbers alone are enough and dive into what truly reflects the success of cybersecurity training efforts.

What Are Vanity Metrics in Cybersecurity Training?

Vanity metrics are quantitative measures that look impressive but fail to provide actionable insights into the real impact of an effort. In cybersecurity training, vanity metrics might include:

  • The number of employees trained: While this shows that training sessions are being conducted, it doesn’t reflect whether the employees have actually learned or are applying that knowledge.
  • Training completion rates: Similar to the number of employees trained, this metric only shows how many employees have completed a program, without indicating if they understand the material or are better equipped to handle cyber threats.
  • Quiz scores: While high quiz scores can indicate that employees have absorbed some information, they don’t necessarily correlate to real-world changes in behaviour or cybersecurity practices.
While these metrics may seem useful, they fail to answer the critical question: Has the training made a meaningful impact on your organisation's security posture?

The Problem with Vanity Metrics in Cybersecurity Training

Focusing on vanity metrics can give organisations a false sense of security. Training completion rates or quiz scores might make it look like employees are well-prepared to deal with cybersecurity threats, but these metrics do not indicate whether employees are truly adopting secure practices or are capable of identifying and responding to real-world threats.

For example: An employee might pass a training quiz but still fall victim to phishing attacks. This shows that while the training might have been effective in theory, it didn’t translate into practical security skills. If organisations are only tracking vanity metrics, they might miss these key weaknesses, leaving their systems and data exposed.

Real Impact Metrics: What Really Matters?

To truly measure the effectiveness of cybersecurity training, we need to focus on real impact metrics, those that reflect the actual outcomes of training efforts. Here are some key metrics that provide a more accurate picture of how well cybersecurity training is working:

1. Employee Behaviour Change

One of the most important metrics is behaviour change. Are employees taking the lessons they learned and applying them in their day-to-day work? This can be measured through:

  • Reduction in security incidents: If cybersecurity training is effective, the organisation should see a decrease in avoidable incidents caused by human error, such as clicking on phishing links or using weak passwords.
  • Increased use of secure practices: Employees should be actively using secure passwords, following data handling policies, and taking the necessary precautions to protect sensitive information.
Measuring behaviour change requires ongoing observation and analysis. For example: Tracking phishing simulation results over time can show if employees are improving their ability to spot phishing attempts.

2. Reduced Time to Respond to Cyber Threats

Another key metric is how quickly employees and teams can respond to security threats. Effective training equips employees with the knowledge and confidence to act swiftly in the face of a potential security breach. Key metrics to track include:

  • Response time to simulated threats: Running simulated cyberattacks, such as phishing campaigns or simulated malware attacks, can help measure how quickly employees can identify and report threats.
  • Incident response effectiveness: Tracking the effectiveness of incident responses during actual security breaches can also highlight the real-world impact of training.
If employees are better prepared to respond to cyber threats, organisations can mitigate the damage caused by incidents and potentially prevent them altogether.

3. Cybersecurity Knowledge Retention

Knowledge retention is crucial for long-term cybersecurity awareness. If employees forget what they’ve learned, it’s unlikely to have a lasting effect on the organisation’s security posture. To measure retention, organisations can use:

  • Follow-up surveys: Surveys or knowledge checks several months after training can assess whether employees have retained key information.
  • On-the-job application: Observing whether employees continue to apply cybersecurity best practices and incorporate them into their everyday tasks is a good indicator of knowledge retention.
By focusing on retention, organisations ensure that cybersecurity knowledge is not just gained during a training session but sustained over time.

4. Reduction in Security Vulnerabilities

A clear metric of success in cybersecurity training is the reduction of vulnerabilities within the organisation. This can be assessed by tracking:

  • Vulnerability assessments: Conducting regular internal vulnerability assessments before and after training can show how much the company’s security posture has improved.
  • Audit results: Regular security audits, including those that test access control, data protection measures, and employee adherence to security protocols, provide insights into whether training is having a positive impact on the organisation’s overall security.
If training is effective, employees should follow protocols that reduce the number of security vulnerabilities the company faces.

How to Transition from Vanity Metrics to Real Impact

Now that we’ve identified the difference between vanity metrics and real impact metrics, how can organisations make the shift? Here are a few strategies for focusing on the metrics that matter:

1. Establish Clear Security Goals

Before implementing training programs, organisations should define clear security goals and outcomes.

For example: The goal might be to reduce phishing incidents by 30% over six months or to increase the identification of suspicious emails by 50%. Setting these measurable objectives will help determine what success looks like and guide the collection of meaningful data.

2. Continuously Monitor and Improve

Cybersecurity training should not be a one-time event. Instead, it should be an ongoing process that evolves as threats and technologies change. Regularly monitor real impact metrics and adapt training programs based on what works and what doesn’t.

For example: If phishing simulation scores improve but malware response times do not, consider providing additional training on identifying and responding to malware.

3. Align Training with Business Objectives

Cybersecurity training should be directly aligned with the business’s overall goals, focusing on protecting data, reducing downtime, and ensuring compliance with industry regulations. By tying training success to business-critical outcomes, companies can see the tangible value of their cybersecurity initiatives and avoid getting distracted by vanity metrics.

Conclusion

Moving beyond vanity metrics and focusing on real impact metrics is essential for improving the effectiveness of cybersecurity training. Relying solely on superficial numbers, such as training completion rates or quiz scores, gives businesses a false sense of security without providing any insight into whether employees are truly equipped to handle actual cyber threats. While these metrics may show that employees have attended training, they fail to demonstrate whether the training has effectively changed behaviour or reduced the organisation’s exposure to risk.

By shifting focus to real impact metrics, businesses can gain a clearer understanding of how their training programs are actually contributing to a more secure environment. Key metrics, such as reduced security incidents, quicker response times to cyber threats, improved knowledge retention, and fewer vulnerabilities, give organisations the actionable data they need to continuously refine their cybersecurity practices and training programs. These insights allow companies to better allocate resources and make informed decisions that can strengthen their cybersecurity posture over time.

It’s also important to recognise that cybersecurity training is not a one-time event but an ongoing process. Cyber threats evolve constantly, and as such, training should evolve to stay relevant. Continual assessment of the effectiveness of training through real-world metrics ensures that organisations remain agile and well-prepared in the face of emerging threats.

A comprehensive approach to cybersecurity training means measuring outcomes that truly matter. By focusing on outcomes such as behaviour change, response times to simulated threats, and the reduction of security vulnerabilities, businesses can move beyond vanity metrics and foster a culture of security. This shift not only improves the immediate effectiveness of the training program but also builds a stronger, more resilient organisation that is better equipped to handle cyber threats in the long run.

Call to Action: Start measuring the true impact of your cybersecurity training today. Shift your focus from vanity metrics to real outcomes, and ensure your business is prepared to face the ever-evolving cyber threats that lie ahead. Make cybersecurity a core part of your company’s culture, and watch your organisation thrive in a more secure digital landscape.
Stay Aware, Stay Secure!
Protecting your business from cyber threats starts with awareness and proactive action. Have questions or want to strengthen your defences? Get in touch with us or sign up for our newsletter for the latest tips and updates on keeping your business secure.