Cyber Risk Aware Blog

6 Factors for Evaluating Your Employee’s Knowledge of Cyber-Threats

[fa icon="calendar"] Jan 2, 2018 6:00:00 PM / by Stephen Burke

Stephen Burke

A security awareness training program is only as good as the level of knowledge retention it creates. You need to run cyber knowledge assessments to test your workforce's knowledge both before and after training, to gauge how successful your training efforts have been.

There is a real art to designing good assessments, so Cyber Risk Aware wanted to share a few tips for making tests which are as effective as the rest of your training.

Six Ways to Design Better Cyber Knowledge Assessments

1. Avoid the stereotypical multiple-choice answer pattern.

How many times have you seen multiple-choice tests laid out with this format?

  • A - An obviously wrong answer.
  • B - A wrong answer with some right elements.
  • C - The right answer.
  • D - A joke answer.

Don't do this. Workers have been seeing this pattern since their school days, and many are smart enough pick the right answer through pure deduction - and then immediately forget it. Your cyber-security tests should be legitimately challenging.

2. Include some open-ended questions.

Even if you have a good multiple-choice design, try not to rely entirely on ABCD tests. Have a few open-ended questions where workers must explain, in detail, how they'd respond to specific challenges. Such questions take longer to grade but give much better insight into their thought processes.

3. Don't only quiz workers on materials recently presented.

It's all too common for eLearning to fall into the pattern of "Watch the video, answer questions, watch the video, answer questions." This will not properly reinforce the learning and encourages a very short-term attitude to knowledge acquisition. Design your tests to ask questions about other training or policy material from previous days or weeks, to test their longer-term retention.

4. Incorporate a timer.

It's all well and good that your workforce is capable of Googling questions, or looking up answers in their employee handbook - but how do they perform under pressure? After all, if they're staring at an email or, worse, have a scammer on the phone, they probably aren't going to look things up. They're going to be relying on their instincts.

So, put a timer on your cyber knowledge assessments. You'll add pressure to their experience, as well as having vital additional data on your training's effectiveness. The faster they reach the correct answer, the better.

5. Track your own results.

Big data isn't just for business analysis! Utilize eLearning and test-taking software that allows you to capture data on test results at a granular level. This isn't only about testing your employees' knowledge - it's also about helping you create better training materials and better tests.

6. Back up your tests with real-world simulations.

Finally, go beyond quizzing to check for knowledge retention. Use more advanced techniques like simulated phishing attacks to really find out who was paying attention. If they can demonstrate their knowledge in a real-world situation, they have truly passed the test.

Get Better Assessments Through Cyber Risk Aware

We offer one of the easiest-to-use solutions for cyber knowledge assessments available on the market, with deep data capture and reporting capabilities. Try a free trial!

Stephen Burke

Written by Stephen Burke