SAPA-Assessment-Score

Gauge your users' security awareness proficiency and measure your overall security culture 

KnowBe4's new scientifically-based assessments help you tailor training to address proficiency gaps and weaknesses, as well as monitor the impact your security awareness training program has on improving your users knowledge and sentiment to security awareness. 

Find out where your users are regarding both security knowledge and security culture to help establish baseline security metrics you can improve over time. Assessments help you to identify users that have a higher proficiency in security in not only knowing the right thing to do but also actually doing the right thing as part of the security culture you’re trying to achieve in your organization. 

You now have the ability to send a skills-based assessment and a security culture survey to your users from your KnowBe4 platform. You can use the assessments and surveys to monitor over time how successful your security awareness training program increases your users’ security knowledge and sentiment to a security-aware culture.

Finally, you have a way to measure what your users know and how much they care when it comes to applying your awareness training, and continue to manage and build a mature security awareness program.

Security Awareness Proficiency Assessment (SAPA)

KnowBe4's Security Awareness Proficiency Assessment (SAPA) is grounded in the latest assessment science research and seeks to assess your users’ susceptibility to cyber attacks, and more specifically, their susceptibility in relation to your organization’s specific cyber security needs.

The assessment is designed to help your organization determine your security awareness training needs by identifying gaps in individual users’ knowledge as well as recommended learning improvements. The assessment provides metrics to improve your users’ security awareness knowledge over time while also helping you tailor and target the right training campaigns across your organization to the right users at the right time.

You can use assessment results to identify high-risk users and deliver targeted training to those users with automatic enrollment through the use of Smart Groups. Your users will be presented with 23 random questions about security awareness from a much larger question bank. This ensures each user’s assessment is unique and that they won't be able to share answers with their coworkers, which would result in inaccurate reporting.

Baseline-Knowledge-Assessment-SAPA-1SAPA measures and scores your users across seven knowledge areas which include:

  • Email Security
  • Incident Reporting
  • Internet Use
  • Mobile Devices
  • Passwords and Authentication
  • Security Awareness
  • Social Media Use

The Security Awareness Proficiency Assessment Methodology:

  • Questions were derived from four research studies with over 100,000 participants.
  • Internal and external validity tests were performed, and revisions made based on the results. (2 rounds, N = 179)
  • The assessment is designed to be administered as a baseline and ongoing progress check (using the same assessment). Using “like” items, randomization, and banking the assessment questions uses best practice assessment techniques to guard against test/retest validity issues. This means you can send the assessment multiple times a year to track progress and your users will get different questions.
  • The assessment is meant to help inform your training campaigns to areas that your organization is weak in. The questions are mapped to competencies, which are then mapped to training, so the resulting report will give you training recommendations based on newly discovered spots of weakness in your organization. You can then retest after running a few campaigns and check your employee’s progress in those areas.
  • Scoring and benchmarking are available on an individual, department, organization, and industry basis.

Security Culture Survey (SCS)

Building a strong and positive security culture is an effective mechanism to influence your users’ behavior and thereby reduce your organization’s risk. Security culture can be defined as the ideas, customs and social behaviors that impact the security of your organization.

Security-Culture-Survey-ResultsThe Security Culture Survey will help you answer questions like:

  • Does my organization care about security?
  • Which areas of the business are least/most security-minded?
  • Which employees are most risk-averse?
  • How strong or weak is our security culture?
  • In what part of our organization do we need to improve security culture?
  • How effective is our security culture program?

In addition to answering operational questions like those above, the SCS provides you with a KPI for reporting your organization’s security posture to the board. 

The Security Culture Survey measures the sentiments of your users towards security in your organization – the psychological and social aspects that drive social behavior. Specifically, the SCS measures seven dimensions of security culture which include:

  • Attitudes – The feelings and beliefs that employees have toward the security protocols and issues.
  • Behavior – The actions and activities of employees that have direct or indirect impact on the security of the organization.
  • Cognition – The employees’ understanding, knowledge and awareness of security issues and activities.
  • Communication – The quality of communication channels to discuss security-related events, promote a sense of belonging, and provide support for security issues and incident reporting.
  • Compliance – The knowledge of written security policies and the extent that employees follow them.
  • Norms – The knowledge of and adherence to unwritten rules of conduct in the organization, i.e. how security related behaviors are perceived by employees as normal and accepted or unusual and unaccepted.
  • Responsibilities – How employees perceive their role as a critical factor in sustaining or endangering the security of the organization.

The survey helps you measure and manage your security culture by giving you individual and aggregated culture scores that show a precise picture of the security landscape of your users and organization. Further analysis and reporting provides you with insights on which areas need improvement and what to focus on next, with recommended takeaways based on your culture score. 

The SCS gives you a research-driven measurement instrument to show you the overall effectiveness of your security culture program and how your security culture improves over time. The SCS measures the seven dimensions of security culture: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.

Security culture metrics do not measure security awareness training completion rates or phishing assessments, rather they serve the purpose of measuring security culture which can only be adequately measured via a scientific approach. The SCS integrates a scientific method of measuring and a scientific method of prediction to provide evidence-based results that enables you to assess, build, and improve your organization’s security culture. 

Security culture metrics allow organizations to assess the true nature of their security culture and its components, and to compare such assessments within organization across departments/teams and between various organizations, thereby providing a baseline for benchmarking security culture. 

The scientific method of prediction is based on advanced statistical algorithms (such as structural equation modeling, multilevel modelling and big data approaches) and allows KnowBe4 to identify correlations between elements of an organization's security culture and employee behavior. As security culture data is gathered over repeat measurements, organizations will be able to leverage the power of this prediction engine to improve the effectiveness of security culture change. 

Security Culture Survey Methodology: 

Measuring culture requires a scientific approach. The development of the metrics used in the SCS followed a strict scientific procedure repeated over time, which allows us to claim that measures are valid and reliable – in other words, that they are measuring what they intend to measure and are valid instruments for obtaining true (or reasonably accurate) information about reality. These steps include:

  • The development of a large initial pool of assessment items
  • Pilot testing
  • Cross validations
  • Validity and reliability testing
  • Repeat testing annually

Items were evaluated for clarity, readability, social desirability bias by experts trained in survey design and item development. Exploratory and confirmatory factor analytical procedures using the R software package were used to confirm the seven-dimension structure of the security culture concept. Additional analyses were performed to confirm discriminatory and convergent validity of security culture concept. Analysis of Cronbach’s alpha (used as an estimate of reliability) on all seven dimensions of security culture proves that the metrics used are internally consistent. 

In addition to the important mechanisms described above, several other mechanisms are employed that include: 

  • Detection of employees providing the same pattern of answers and their exclusion from the analysis; 
  • Calculation of minimum timings for assessments based on cognitive psychology experiments. Using these minimum timings, “speedsters” were excluded, as it is highly likely that respondents who complete the survey too quickly haven’t read the assessments;
  • Mixing positive and negative statements to check for consistency of assessments;
  • Development of a pilot study, which was conducted on a small sample to correlate assessments with so-called “social desirability items”. Items with significant bias were excluded.

More information about the scientific approach used to develop and test the Security Culture Survey is available in the research report, "The 7 Dimensions of Security Culture" published by CLTRe (a KnowBe4 company). 

 See these new features and more for yourself, request a product demonstration today!

Request a Demo


Get the latest about social engineering

Subscribe to CyberheistNews