Assessing training needs
With the continuous risk and threat of cybersecurity incidents in healthcare, many organisations have implemented various security measures, awareness campaigns and training. The current focus lies on the role of the human factor in cybersecurity, meaning that awareness and training programs are seen as the leading solutions for many organisations to address cybersecurity concerns both within and outside of the healthcare sector.
Training programs are implemented to increase knowledge, skills and awareness of staff members. Training has been found to support both staff members in their tasks, prevent cybersecurity incidents from happening, as well as help to create a positive cybersecurity culture (ENISA, 2018; SecureHospitals.eu, 2019). However, training programs can be costly, both financially and timewise. Therefore, before implementing training programs, it should be clear what the actual specific training needs are so the best training program can be selected. This is often done through a Training Needs Assessment, or TNA.
Training Needs Assessment
A Training Needs Assessment is the first step in the process of developing and implementing training programs. TNA’s should be done periodically, in order to contribute to the overall training and educational strategy of staff in an organisation or a professional group (Gould, Kelly, White, & Chidgey, 2004).
A TNA supports a structured identification and analysis of the actual needs to determine which training content and methods are required and will be most effective. There are some variations in what a TNA must include, but most start by defining the business case and a gap analysis. Some plans suggest to already include an overview of participants, while others do not specify the need for this.
The following checklists can support the assessor or assessors in determining whether they have the appropriate information to set up training programs within their organisation (Dausend, 2017; SHRM, 2018).
Business need
Defining the business need provides insight into the needs and goals on an organisational level. It also includes possible internal and external limiting factors that may influence the final outcome of the TNA.
- Is it clear which issue or issues need to be addressed and why?
- Are there clearly defined goals that need to be achieved?
- What are possible external limitations identified?
- What are potential internal limiting factors, such as budget?
Gap analysis
The gap analysis indicates which knowledge and skills are necessary to develop for staff members so that the organisation can reach its goals. In this phase, some specialists suggest it is important to evaluate the best ways to measure the gap, which then becomes useful for an evaluation of training after it has been implemented.
- What knowledge and skills do staff members have and what do they need to have to achieve organisational goals?
- What are good metrics to measure the gap between the current situation and the desired situation?
- Which tools can be used and are best suitable for gap analysis purposes?
Participant analysis
The gap analysis may already show which staff members or groups of staff members may need specific attention. The participant analysis serves as a more in-depth analysis of the potential participants. This influences the costs, location and timeline of the training, so this may be valuable information to include in the final report.
- Which staff members or staff member groups should participate in the training?
- What are specific characteristics and constraints of this group?
- What are specific skills and knowledge gaps for this group?
- How many participants will the training have?
- What learning style is most effective for this group?
- Are the participants centralised on one location or spread over multiple locations?
Training options and methods
After the specific areas for training becomes clear and a target audience is defined, it is possible to already take a look at potential training programs, both internal and external options.
- What are suitable training methods for identified gaps and goals?
- What training is already offered?
- Will the training be conducted internally or externally?
- If internally conducted, is the needed knowledge present internally (on organisational or departmental level)?
- Can the training be held online, in a classroom, or a combination of both?
Evaluation
In order to evaluate whether the training has been successful, it is necessary to determine and define metrics.
- Review the metrics defined as part of the gap analysis, will these be helpful to measure the desired outcomes?
- How will you determine if the program is effective in the long term?
- What are recommended methods for evaluation for the needs that have been established?
- Can the defined metrics be applied in the context of the possible training options?
Assessing training options
Based on the gathered information so far, the assessor or assessors can rate whether training is the optimal solution for the challenge at hand.
- Is training an effective solution to the identified gap, or are there other more suitable options?
- What are the projected costs of training and does the organisation want to invest in this?
- Does the cost of training weigh up against the potential gains?
- Will the training address topics that influence legal compliance, maintain licences and/or certifications?
- Is the time investment manageable both by the organisation and by the training participants?
- Does the training assist the organisation in remaining competitive?
Report training needs and recommend training plans
The findings of each phase have to be presented in a final report that can advise the decision makers.
- Why and how the assessment was done, the methods used and the people involved
- Recommendations for short and long term training plans
- Critical priorities
- Timeline recommendations, including relevant deadlines for legal compliance
- Budget
- Scheduling
Recommendations and points of consideration
- The person to conduct the TNA must know and understand the overall organisation and each department’s goals and priorities.
- A TNA should be done periodically in order to remain up to date.
- The ROI for cybersecurity interventions is difficult to determine. Training can be expensive (but does not have to be), but the potential financial effects of a cybersecurity incident can be costly as well.
Further reading and resources
- What training needs analysis is and how it can benefit your organisation, by Kim Morrison: https://elearningindustry.com/training-needs-analysis-benefit-organization
- ENISA’s CSIRT training material collection : https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material
- ENISA’s Good Practice Guide on Training Methodologies: https://www.enisa.europa.eu/publications/good-practice-guide-on-training-methodologies
Literature