Awareness Guide: Conducting An Awareness Survey
Security Awareness Campaign Guide: Section 3E
Establishing Your Baseline: The Baseline Awareness Survey.
One of the last tools you'll use in establishing your baseline is the initial awareness survey. This survey will ask a few basic questions to get an idea of how much your audience knows – at least at a high level – about your information security program.
Conducting surveys is as much an art as it is a science. You'll find lots of different advice on conducting surveys if you do a little research on your own. Here are just a few tips to help get the ball rolling:
- Know who your audience is. The kinds of questions you ask, and the language you use will vary depending on who your audience is. If there are several different audiences (with very different roles) that you are trying to reach all at once, it may be a good idea to create alternate versions of your survey for each group, or at least create separate instances of the survey that you send out. Then, when you compile your responses, you can more clearly identify which group each set of responses came from.
- Have a very clear idea of what it is that you are trying to measure. Since this is a baseline awareness survey, and awareness is about behavior – think a bit about the kind of behaviors you are trying to observe and ask if a survey is really the right tool for the job. Even if it is, know what it is you plan to measure, how you plan to measure it, and what you plan to do with the data once you’ve gathered your results. These steps may have a significant impact on the kinds of questions you ask.
- Come up with 3 to 5 simple, high-level questions that will give you the best overall picture of where things stand in your enterprise. You really don't want to make your survey much longer than that – and for good reason. People are busy – and whenever the average employee sees a survey in his or her in-box, it’s often dropped all together, or added to the very bottom of the priority list. If you keep it short and sweet, you’re likely to get a better response rate.
- Use simple words to ask your question, and even easier ones in your answer options. The questions you ask must be absolutely clear, jargon free, and absent of any ambiguity. Get straight to the point with whatever is you want to ask, and use the least number of words possible to effectively communicate what you want. When you think you’ve got all your questions and answers ready to go, ask a few colleagues that aren't security professionals to see what they think – this will get you some valuable feedback.
- If you intend to include a range of answers for a specific question, be sure to limit that range to no more than 3 to 5 options. Whether this is ‘yes, no, maybe’, ‘1, 2, 3’, or ‘excellent, good, mediocre, poor, laughable’ it doesn’t really matter. Just keep the range small – and make sure that you clearly explain what each option means using a scale that can be applied consistently throughout the survey. You can also use ‘true/false’ questions or ‘free response’ questions but be aware that T/F questions are only marginally useful for surveys, and free response answers can be harder to quantify.
- For surveys like this one, it’s a good idea to go ahead and make it an anonymous survey. You really don’t need much information about the individuals involved in order to get a good sense of the overall sense of security within the company. This may change a bit depending on what you are trying to measure though. In some cases knowing who the people are, or at least what their job roles are can be extremely informative. In either case, add a field where people can self-identify or provide additional identification information if they want to.
- When you are getting ready to send out your survey, be sure to attach a short and simple message that explains what the survey is for, how long it is, and how long it will take to complete. This is where ‘shorter is better’ will likely yield a greater number of responses. Just as with the questions and answers you are including in the survey, keep this message absolutely clear, jargon free, and absent of any ambiguity.
- Always have a clearly defined end date, usually within 3 to 5 business days, at which time the survey is closed to further responses. Most people who are going to complete the survey will do it within a day or two anyway. Having a lingering date out there is not going to fetch you many additional responses – so be clear what the deadline is in your communications, and wrap things up promptly when that point is reached. Be ready to send out a reminder as the last day for responding gets closer.
There are a number of other steps that you can take, but as I mentioned – a little Google research will likely turn up a plethora of recommendations on conducting surveys.
Later on down the road I’ll offer a couple of sample survey’s that can be used to conduct your baseline survey. This should help you get started though…