Americas

  • United States

Tips for evaluating security training, Part 2

Opinion
Mar 30, 20042 mins
NetworkingSecurity

* Examining the ROI of security training

Measuring ROI is growing in popularity among managers, especially those with a strong background in finance. The ROI methodology for training and education has been developed and applied over the last 20 years and is being used in thousands of impact studies every year.

Measuring ROI is growing in popularity among managers, especially those with a strong background in finance. The ROI methodology for training and education has been developed and applied over the last 20 years and is being used in thousands of impact studies every year.

However, ROI is the most complex and expensive measure of value for any program and should be limited to those programs where the exercise will have an operational effect; that is, no one should undertake an ROI exercise without having a specific goal in mind such as a go/no-go decision or a decision on increase in funding.

Contrary to a common misconception, ROI evaluations are not limited to producing a single number consisting of monetary benefits divided by costs, pointed out Jack Phillips, chairman of the ROI Institute, at the March 2004 Annual Conference of the Federal Information Systems Security Educators’ Association. Phillips argued that the ROI process generates six types of data:

* Reaction, satisfaction and planned actions.

* Learning.

* Application and implementation.

* Business impact.

* Return on investment.

* Intangible measures.

An effective application of the ROI methodology, according to Phillips, can

* Align programs to business needs.

* Show contributions of selected programs.

* Earn the respect of senior management and administrators.

* Build staff morale.

* Justify and defend budgets.

* Improve support for human resources, learning and development.

* Enhance the design and implementation process.

* Identify inefficient programs that need to be redesigned or eliminated.

* Identify successful programs that can be implemented in other areas.

Phillips presented a thoroughgoing evaluation process, which is described in Patricia Phillips’ book entitled _The Bottomline on ROI_.

The ROI Institute runs a closed Web site for its 600 members; visitors are permitted to send e-mail to a contact address for further information.