Skip Links

Using security metrics to measure human awareness

Free tools offer security practitioners a way to measure the effectiveness of awareness programs

By Joan Goodchild, CSO
October 16, 2012 04:24 PM ET

CSO - It's been said that security is hard to measure. Producing measurable results around a lack of problems or incidents is challenging. But the field of security metrics has evolved considerably in recent years, giving security managers more resources to make the case for investing in security programs and technologies.

Now the SANS Institute, through their Securing the Human Program, is offering a set of free metric tools designed to give security leaders the ability to track and measure the impact of their own security awareness programs.

[Security Metrics: Critical Issues]

According to Lance Spitzner, training director for the program, the tools can be used to improve training, demonstrate return on investment, or compare an organization's human risk to other organizations in an industry. All resources are free, developed by the community for the community, said Spitzner.

The tools include:

Metrics Matrix -- A spreadsheet that identifies and documents different options for measuring a security awareness program. It includes metrics for both measuring impact (change in behavior) and for tracking compliance.

Measuring Human Risk Survey -- The newest addition to the tools that is still in development, the twenty-five question survey helps determine the human risk in an organization. Each question and its respective answers have different levels of risk associated with them. Depending on how employees respond, answers can be totaled to determine a quantitative value of your human risk.

Phishing Assessments Planning Package -- Phishing assessments are not only a simple and effective way to measure the impact of your awareness program, but a very powerful way to reinforce key training concepts. This package helps you step by step plan, build and implement a successful phishing assessment program, including several templates, said Spitzner.

CSO spoke with Spitzner about using the metric tools.

CSO: What was the mission in creating these metric-gathering tools?

Spitzner: The tools were developed out of need by the security awareness community. I run a private mail list of about 200 professionals who are all involved in, or lead the security awareness program for their organization. People post what they are looking for, and then, we as a group develop resources that help solve that problem.

One of the first challenges we solved was creating the Security Awareness Maturity Model that helps identify how mature your awareness program is and then how you want to build on that. As a group we then developed the Security Awareness Roadmap that explains in detail how to reach each maturity level. There was a repeated request and need for metrics.

What are the challenges of using security awareness metrics?

As always there are several challenges with metrics, security awareness metrics are no different. A couple of points to keep in mind:

  • Ultimately, metrics are a tool used to measure the effectiveness of your security awareness program and how to improve it. Sometimes organizations get so caught up in their metrics that the metrics become more important then the program itself, they forget about what their ultimate goal is. As such the best approach is to focus only on a few, very good metrics.
  • Unfortunately good metrics are hard. They have to be easy to measure (preferably automated), they have to be measured consistently (in other words even if different people measure they get the same result) and they have to something you can take action on. Classic example of a bad metric is the top ten most infected countries. What value does that metric have? What action are you supposed to take based on that?

This is one of the reasons we developed the security awareness metrics matrix, it has a list of over 15 metrics organizations can choose from, depending on which metric has the most value to them.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News