InfoSec: Performance Appraisals


In this paper, I will explore the numerous aspects of performance appraisals, including their utilization, function, and benefits. I will also share two different methods of assessments, top-down and bottom-up, and provide their strengths and weaknesses. Then, I will discuss how performance appraisals can increase an organization’s security practices, the dangers of not conducting them, and finally, offer several suggestions for creating an appraisal system, enforcing it, and general best practices for supervisors to use to ensure the proper collection of data and sharing of ideas during the review.

The utility and use of performance appraisals. Why are performance appraisals important? What function do they serve?

Performance appraisals are a vital function of each supervisor/manager in the goal of assessing how their subordinate is doing regarding duties, responsibilities and morale, as well as provide the means to further develop skills, increase operational performance, and strengthen the overall goal of the business (Business Balls, n.d.). As an organization’s personnel is its most important tool when it comes to security, ensuring that each employee’s performance is meeting their given standards and adequately handling their duties is as vital to asset protection as the systems and software we use to protect them.

Often, yearly performance reviews and salary increases are directly related to the performance appraisal that managers carry out. Similar to how security personnel annually review their software, policies, and regulations, supervisors will perform a detailed analysis of work performed, notable feats, and any areas of concern. With the data accumulated from a performance review, a supervisor can proficiently consider whether the employee should be retained or terminated, if he/she deserves a promotion, how they are doing emotionally, as well as help them identify and hone skills. Performance appraisals are also an excellent method to gather data during annual reviews; the manager can then use this information to decide on whether the employee will receive an increase in pay or require additional training and motivation to get them up to speed. More often than not, it can be challenging to understand how well an employee is doing in their position, as supervisors have a lot on their plate, fulfilling their day-to-day tasks, quarterly projects, as well as managing their subordinates. Without informing an employee how he/she is performing, that individual will not have the chance to increase their productivity, skill, or improve general attitude in the workplace.

Performance reviews also offer significant benefits to the supervisor. Apart from being able to gauge how successful the employee is, the act of holding a performance review meeting provides the in-person, two-way communication atmosphere that is so necessary in today’s society. With such a large percentage of events in the workplace existing on the computer, we as a species are continuously limiting our human interaction with one another. Having an in-person meeting with an employee and their manager can provide the sharing of critical information, suggestions for improvements, as well as strengthen the relationship between the two individuals.

Performance reviews, ideally, should be a back-and-forth conversation, where the supervisor’s performance is also analyzed and commented on by the subordinate; this bottom-up approach is vital to assist supervisors in understanding how they are viewed, areas in their skillset that need improvement, and reduce the fear of a subordinate initiating discussion with their supervisor. Each tier in the operational model of an organization needs to work seamlessly with each other, letting the creative and analytical conversation flow freely. In infosec, communication is necessary in finding weak points in login procedures, how to balance increased security measures with the ease of access to systems, and how to identify potential security breaches/social problems before they become as issue, such as an employee who recently went through a messy divorce and their peers are reporting unusual behavior.

            While it can be difficult to encourage communication during our busy lives, ensuring that at least an annual performance review is enforced provides the means to gather data from both the supervisor and the employees they manage, help each other grow in their careers, and offer an open discussion on any issues they are facing. In infosec, the protective systems we build are nothing without a secure mind behind them; due to this, a supervisor needs to always have a finger on the pulse of the organization’s workforce, clearly understanding the status of both the performance and morale of each employee.

Discuss in detail at least two different types of employee evaluations available to security personnel.

            Per McCrie’s textbook, Security Operations Management, there are several different methods of performing employee appraisals. The most common form of evaluation is the top-down approach, where the supervisor reviews the work of their subordinates. As the duty of analyzing the performance of staff generally falls upon their boss, the top-down approach is both widely used and often beneficial, since their managers deal with the individual every day and directly know how well they are performing. On the other hand, relying only on the top-down approach can have disadvantages, such as if the manager does not directly supervise the employee, he/she will not be able to accumulate the necessary data. Also, as supervisors are often juggling many projects at once, they may not have the time to perform top-down reviews routinely.

            Top-down reviews, when performed throughout an organization regardless of tier, allows managers and employees at all levels to further understand what is expected from them, how they are meeting their goals, as well as what they can do to perform at a higher caliber. For example, even a CTO (chief technology officer) often reports to a CEO (chief executive officer); in this relationship, a top-down review will allow the CEO to give guidance and review the performance of the CTO, which then, continues the appraisal method to his subordinates, and so on. By performing a top-down review, every organizational tier will be able to measure their performance, as well as open up discussion when it comes to salary increases or promotions.

            Another form of appraisal is the bottom-up approach, where subordinates evaluate their supervisor. While similar to the top-down approach, the bottom-up method offers a unique perspective on how mid/upper-management is meeting the same level of expectations as they set for the lower-level staff. While the notion of reviewing your supervisors can be intimidating, the necessity of the action is quite vital to the success of the overall organization. The phrase, “who will watch the watchmen,” shines a light on the value of governing those who govern and reviewing those who review.

For mid/upper-management, numerous areas need analyzing and reviewing, such as communication, leadership, planning, motivation, and critical thinking. Due to the complexity of supervisory roles, providing the same level of performance review that their subordinates receive is essential to ensuring the continuation of meeting business expectations. Bottom-up analyses offer many advantages, such as improvement of managerial skills, increased transparency of those who they supervise, and provides subordinates a voice to submit their concerns, suggestions, and issues.

Similar to other appraisal methods, the bottom-up approach has numerous disadvantages, although the majority of them only exist when the review is not correctly prepared for and executed. As mentioned before, the action of reviewing those who supervise you can be daunting, leading to inaccurate or unauthentic responses during the meeting for fear of reprisal; to combat this and to ensure that the material discussed is beneficial for both the manager and those who they manage, there needs to be some form of process which protects the subordinate. In some cases, an anonymous collection of managerial performance reviews can be promising, in that the subordinates can genuinely speak freely.

Another potential problem of the bottom-up approach is if the company is accustomed to the top-down method or currently uses it in conjunction with the bottom-up approach, the amount and quality of the information compiled can diminish, as the employees may believe that if they provide a significant amount of highly-precise data on their supervisor’s performance, their manager might be just as thorough. If the bottom-up method of performance reviews has anything to do with an annual report or salary/promotion negotiation, then the material covered in the appraisal of the employee’s manager is quite remarkable.

How can an organization use the performance appraisal process to encourage better security practices?

Performance appraisals, when properly administered and utilized, can increase security in various methods. By, for example, having an annual review of each of your infosec personnel, a supervisor can determine who is meeting objectives, who needs further assistance, and even identify possible threats to security, such as a disgruntled employee; by taking the time to talk to the affected individual, you can assess whether they are a security risk, and regardless if they are or not, potentially help them find solutions to their problems.

Identifying the strengths and weaknesses of each employee in the goal of placing/training them in different areas should be not only encouraged, but expected. Performance appraisals offer the advantage of gathering the data necessary to make managerial decisions such as resource and manpower allocation, as well as further develop security policies and procedures. By performing performance appraisals, clearly outlined goals and objectives can be identified and created from determining the skill level of employees, as well as their ability and willingness to take on new projects and responsibilities.

In infosec, proper communication is vital to the continuous hardening of an organization’s assets. Without performance reviews, the necessary discussion between subordinates and their managers can be limited. Furthermore, miscommunication needs to be avoided at all costs in infosec. For example, a false perception of what personal devices are allowed in the workplace can have disastrous consequences. By mandating regular and thorough performance reviews, the entire infosec team can be more aligned as to what infosec means, what it does for the company, and more importantly, what is expected from them.

Performance reviews, when correctly planned and administered, can offer extensive benefits to an organization for both subordinates and supervisors. While there are several methods in which a performance appraisal can be conducted, the process allows for the collection of data regarding an employee’s ability to complete their assigned work, their adaptiveness to their job’s responsibilities, their growth and possible promotion/raise status, how well they are communicating with their team, as well as their morale. In infosec, similar to performing a vulnerability assessment on a firewall, an evaluation must be continuously formulated on the employees who harden information assets, determining who is meeting expectations, who require assistance, and who might be susceptible to, for example, social engineering attacks due to psychological issues. It is up to all of us to know everything we can about the individuals in our team, as well as those who we manage or are managed by.


Fennelly, L. J. (2017). Effective Physical Security (5th ed.). (pp. 67-84). Cambridge, MA: Elsevier.

Business Balls. Performance Appraisals. (n.d.). Retrieved December 23, 2019, from

McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s