Assessing a training program

NIST Special Publication 800-16 recommends four ways to evaluate the effectiveness of a cybersecurity training program.

The National Institute of Standards and Technology's Special Publication recommends four ways to evaluate the effectiveness of a cybersecurity training program.
800-16

Level 1: End-of-Course Evaluations (Student Satisfaction). Those evaluations obtain instant feedback from students who use forms that rate the training facility, instructor and presentation method, among other factors.

Level 2: Behavior Objective Testing (Learning and Teaching Effectiveness). This level seeks to measure the degree to which a training activity transfers information to the student — for example, by administering tests before and after the training.

Level 3: Job Transfer Skills (Student Performance Effectiveness). An evaluator polls supervisors 30 days to 60 days after training to see whether employees are meeting the behavioral objectives of the program.

Level 4: Organizational Benefit (Training Program Effectiveness). This level seeks to quantify the value of the resulting security improvements in relation to the cost of the training.