Someone's attendance at, or absence from, a security awareness and training session or event is, at best, a rough indication of their involvement and engagement with the awareness and training program and yet it is often used as a measure, a metric. Why is that?
Clearly, if someone fails to show up at all, they are hardly going to benefit from the sessions ... but a well-rounded awareness and training program will not rely solely on in-person classes, seminars and similar events: it will typically have an intranet site, maybe newsletters, emails, discussion forums, posters and more. Hence is it certainly possible for someone to be engaged with the program and highly security-aware even if they do not attend the events for some reason (e.g. they may be forgetful, too busy doing other stuff, disabled, working night shifts, low on energy, sick or on vacation, antisocial, not keen on that style of learning, perceived lack of value or purpose ...). Nevertheless, nonattendance generally signals a lack of engagement.
In contrast, someone who shows up at every session without fail appears to be highly supportive of the program - but are they really? Or are they just keen to escape the office drudgery, dozing quietly at the back of the class maybe?
Most workers (including the session leaders or trainers!) lie somewhere between those extremes: they attend a proportion of events depending on various factors. It is not unreasonable to assume that most attendees are demonstrating some level of interest in or engagement with the awareness program, their attendance rate across multiple sessions presumably correlating with their interest and engagement levels.
From another perspective, attendance rates at various awareness and training events are indicative of the popularity and perceived value of the sessions ... but again there are several factors at play (e.g. the particular topics being covered, the quality of the venue and catering, the quality of the trainer/leader, the supportiveness of the social environment both in and out of class) in addition to all the reasons why a given worker may or may not attend. Provided the attendance data are sufficiently accurate and representative, trends may indicate the awareness program's success or failure, strengths and weaknesses among the training team, popular or unpopular topics, venues, timing and formats etc.
Another reason for recording and reporting attendance is to demonstrate activity and concern. For various reasons, although busy senior managers may be unable to attend many events themselves, they may be relieved to know the events are being held regularly and are being well attended. They are using attendance as an assurance measure, confirming that the organization's investment in information security awareness and training is achieving something beneficial. Hopefully.
One more reason for using attendance as a metric is that it is cost-effective to collect, relative to other possible metrics in this area: attendees at awareness and training events are simply recorded in some fashion, perhaps signing an attendance register or being counted by someone (perhaps even estimated). The raw data are readily accumulated, analyzed (e.g. to identify trends or proportions) and reported ... which brings up another issue: to whom would the information be reported or presented? Who would want to know attendance levels? When and with what purpose?
Potential audiences include:
- Management: need assurance that the organization's investment in security awareness and training is worthwhile, and is achieving its objectives;
- Information risk and security awareness and training professionals: need data to help invest the organization's resources wisely, develop and deliver the activities most effectively, evaluate and compare various options such as different modes of delivery, trainers, topics and venues, and demonstrate their professionalism;
- Other stakeholders with an interest in the organization's information risk and security status, such as: owners; suppliers, customers and business partners; authorities (such as industry regulators); and compliance certification bodies;
- Human Resources: most are responsible for administering training records, some take a more proactive interest in personal development plans, awareness and training strategies etc.;
- Individual workers: some of us like to track our awareness and training activities along with other personal development, updating our resumes and plans accordingly.
Reporting intervals vary from weekly or monthly up to once every few years, or one-off, depending on audience needs. Reporting formats are equally diverse.
Bottom line: while they have their limitations, awareness and training attendance statistics potentially deserve being part of the organization's metrics mesh.