Reporting Tools That Help You Tell – and Shape – Your Organization’s Story
End-user understanding and performance specific to your organization will not be found within a preexisting report.
It is necessary to assess the knowledge of end users, and how they will behave when they are exposed to potentially threatening scenarios. It is necessary to address end-user deficiencies. And it is necessary to continuously evaluate progress to increase awareness and preparedness over time — for them and for you.
When considering how you will help prepare your end users to protect the integrity of your organization’s data, networks, and systems, be sure the evaluation of your approach includes a comprehensive look into reporting. If you want to measure ROI…compare results over time…course-correct based on progress…share reports with other stakeholders…and use your data in other meaningful ways, you have to ensure the tools you use gather meaningful data and allow you to organize it in ways that help you learn more about your organization’s risk and apply what you learn to mitigate that risk.
We recommend being able to fulfill the following knowledge capabilities (at minimum). The information fields we note alongside those capabilities are the types of business intelligence features you should seek from your security awareness and training tools:
|Knowledge Capabilities||Information Fields|
|The ability to report on user training to understand what users know and need more help learning||Training assigned to individual users
Users who completed or didn’t complete individual assignment
Whether individual users pass/fail specific trainings
|The ability to report on user performance when faced with potential cyberattacks so you can understand risk and areas for improvement||The types of simulated attacks (phishing/smishing/USB) sent to individual users
Users who interact with phishing tests:
Users who interact with an SMS/text phishing test
IP addresses of devices that a test USB drive was plugged into
Correlation of user performance to training
|The ability to report on aggregated data to evaluate effectiveness of training for the population, company-wide preparedness to understand risk, and justifying current and future investments||Comparison views of assessment campaigns, including click rates over time
Insights into “repeat offenders” (i.e., those who interact with multiple phishing tests)
Identification of questions that were most likely to be answered incorrectly in training assignments, and topics that users struggle with the most
Top individual performers and/or best performing departments