For many companies, the problem is that they do not know exactly what the security culture is like in their company. Even though security awareness measures with training for employees are carried out, there is no certainty that the measures target or are effective in the right areas. Actions are based on available knowledge and beliefs but remain “best guesses.”

Our customer is increasingly focusing on the issue of security awareness to protect data and the infrastructure. As a public service provider, the company has the task of guaranteeing the transport service. For this to run smoothly, training actions are needed in the area of information security as well as technical measures. The company decided to use the Security Awareness Radar® to survey employees and thus determine the status of the security culture in the company.

The objectives of the survey were to examine the effectiveness and sustainability of the existing awareness and training measures, to uncover strengths and weaknesses, and to draw conclusions for future measures.

Surveying employees using a standardized questionnaire offers the advantages of quantitative, statistical analysis and the comparability of the results. This enables the company to carry out the same survey at different intervals to determine changes in security awareness over time. The results can also be compared across different organizations and industries, thus enabling an inter-organizational comparison (benchmarking). The measurement is both qualitative and quantitative in nature. Thanks to the repetitions, the quantitative questionnaire allows a comparison of the results in order to identify changes. The evaluation of the open question also makes it possible to obtain qualitative feedback from employees.

Surveys with the Security Awareness Radar® have already been carried out twice with a survey final round pending. Both surveys provided valuable input on the status of information security and the security culture in the company. They showed that the security awareness of the employees had already improved within a year thanks to the training actions.

The first survey provided an initial basis for the security awareness of employees in the company. It indicated areas and issues that needed to be addressed as a priority by the security department. The second survey a year later showed that security awareness had improved and that the measures taken had been fruitful. It also showed in which areas and topics further measures should be promoted to constantly improve the security culture and security awareness.

The comments also showed that information security is seen as a good idea and important by employees. Thanks to increased awareness measures, employees in the second survey expressed the wish to train more often and more regularly on security issues.

The goal of a high-level security culture that is practiced and actively supported by the employees for continuous development and thereby greater security is an ongoing process that will not end after the three surveys. When a goal is reached, a new goal is defined. In this way, further development is always in progress. The hackers don't stand still, so neither does the company in its efforts to constantly improve its "human firewall".

Thanks to the surveys with the Security Awareness Radar®, we were able to determine in which areas and on which topics we need to focus our work. By repeating the survey, we could determine that we were able to increase the security awareness of our employees by 10% within a year thanks to the measures implemented.”

Head of Information Security

‍

“Information security is a never-ending story, and it is almost impossible to do enough. This survey alone shows once again the points concerning information security.”

An employee surveyed with the Security Awareness Radar