How to Create a Data-Driven Security Awareness Campaign and Measure Impact

As today’s digital landscape continues to evolve, a robust cybersecurity program must address not only technical controls, but also human risk. According to Verizon’s 2024 Data Breach Investigations Report, 68% of breaches involved a nonmalicious human element, such as social engineering attacks or simple human error. Recognizing this risk, Salesforce’s Security Awareness team uses data-driven programming to educate employees and prepare them for emerging threats.

In August 2024, I had the honor of presenting at the SANS Managing Human Risk Summit, where I shared insights on how organizations can use data-driven security awareness programs to influence behavior change and enhance their security. This blog will delve deeper into these topics and explore how Salesforce’s Security Awareness team implements these strategies to uphold our #1 value of Trust.

Why are data-driven security awareness programs important?

Keeping our customers’ data secure is intrinsically linked to keeping our employees’ data secure. With over 72,000 employees globally, Salesforce encompasses a wide array of roles and responsibilities, each with its own set of risky behaviors. While companywide security awareness campaigns are invaluable, they can fall short in addressing the nuanced and varied nature of each employee audience. By using data-driven insights, Salesforce tailors training and messaging to the specific risks and behaviors of different employee groups, enhancing their ability to recognize and report potential threats.

This approach offers several advantages. Employees are more likely to engage with and retain information that’s directly relevant to their roles and responsibilities, making them better prepared for attacks specific to their functions. In addition, from a data analyst’s perspective, measuring the effectiveness of a targeted campaign can be easier due to its smaller scale. Implementing data-driven processes also lets companies refine and improve future campaigns, enhancing their effectiveness over time. To stay ahead of top threats, Salesforce uses the SANS Security Awareness Maturity Model as a benchmarking tool to continually evolve and mature our program. We integrate data from the beginning to the end of our targeted campaigns to support and maintain the levels of cultural change and metrics framework in the model.

How Salesforce creates a security awareness program

Building a trust-first culture is a team effort. Salesforce’s Security Awareness team partners with Salesforce Incident Response, Threat Intelligence, and other teams within the security organization to identify incident-related trends and emerging threats. 

Step 1: Build a data analysis framework

As part of our data analysis framework, we evaluate incident, behavioral, and employee attribution data to help determine which groups are at the highest risk. To maintain employee privacy, we use only aggregate data to develop our targeted campaigns. We then integrate this data into a human risk measurement based on user negligence incidents to understand the highest priority risks. This approach provides us with the topic, audience, and data needed to develop targeted education and messaging.

Step 2: Focus on influencing behavior change

Building a culture of trust at Salesforce requires changing risky behaviors. Our team draws inspiration from Salesforce’s LEVERS framework for creating change, which encompasses Leadership, Ecosystem, Values, Enablement, Rewards, and Structures. This framework was developed by Salesforce’s change management team. While it’s often seen as beneficial for sales teams, our team uses the framework in our own campaigns as a way to influence behavior change. Salesforce researchers found that successful change is ten times more likely when four or more levers are employed. Therefore, we use multiple channels for education and messaging to engage as many of these levers as possible.

Step 3: Educate with targeted messaging

What does this look like in action? For a targeted group, we might lead an event or workshop for leadership that equips them to pass down specific messaging to their teams. We also partner with Communications and other teams outside the security organization to deliver targeted messaging that meets employees where they are by using existing communication ecosystems. For example, we might share content in messaging channels relevant to targeted groups. In addition, our security awareness training aligns with organizational values, such as our #1 value of Trust, while providing tools and enablement to set teams up for success. 

Trailhead, Salesforce’s online learning platform, is an excellent resource for this because it integrates rewards into the learning process by providing virtual badges to learners after they complete a course.

Our education and messaging reference structures, policies, and documentation that employees can refer to for more information. Using different methods of communication not only lets us address various learning styles but also engage as many of these levers as possible in one campaign. This sets the stage to influence behaviors in high-risk groups.

Step 4: Track campaign effectiveness with data

As mentioned previously, data is integrated into our campaigns from beginning to end. In addition to providing rationale and establishing the basis of our campaign, we use the same data to track its effectiveness. One way to do this is by tracking campaign actions over time and observing any changes in the number of incidents addressed by the campaign. The goal is to observe a decrease in targeted incidents as the campaign progresses. Our team can quantitatively communicate the value of our program to stakeholders by showing this reduction through a simple line graph.

Hypothetical example of a line graph depicting a drop in security incidents after campaign actions are taken.

Even if there isn’t a decrease in incidents over time, this type of graph helps us understand where to revisit or shift our campaign strategy by examining specific points in time. For example, we might find a drop in incidents after certain types of campaign actions, such as in-person workshops. Using a visualization like this helps us show programmatic impact to leadership and stakeholders, and provides a metrics-based framework for us to continually evolve our campaign strategy.

Takeaways

Implementing a targeted approach to security awareness and training at Salesforce has proven to be highly effective in addressing the nuanced and varied nature of human risk. Building a culture of trust and security at Salesforce requires comprehensive, data-driven programming that integrates targeted education, continuous data analysis, and effective communication strategies. Using these methods helps us enhance our employees’ security and foster a more aware and resilient workforce. In doing so, we keep security top of mind for our employees, which translates to security for our customers. As we continue to evolve our programs, we remain committed to staying ahead of emerging threats and ensuring the safety of both our employees and customers.

Interested in learning about the role of a specialist on Salesforce’s Security Awareness team? Take this Trail to learn more about the role and its responsibilities.