- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - It's been said that security is hard to measure. Producing measurable results around a lack of problems or incidents is challenging. But the field of security metrics has evolved considerably in recent years, giving security managers more resources to make the case for investing in security programs and technologies.
Now the SANS Institute, through their Securing the Human Program, is offering a set of free metric tools designed to give security leaders the ability to track and measure the impact of their own security awareness programs.
According to Lance Spitzner, training director for the program, the tools can be used to improve training, demonstrate return on investment, or compare an organization's human risk to other organizations in an industry. All resources are free, developed by the community for the community, said Spitzner.
The tools include:
Metrics Matrix -- A spreadsheet that identifies and documents different options for measuring a security awareness program. It includes metrics for both measuring impact (change in behavior) and for tracking compliance.
Measuring Human Risk Survey -- The newest addition to the tools that is still in development, the twenty-five question survey helps determine the human risk in an organization. Each question and its respective answers have different levels of risk associated with them. Depending on how employees respond, answers can be totaled to determine a quantitative value of your human risk.
Phishing Assessments Planning Package -- Phishing assessments are not only a simple and effective way to measure the impact of your awareness program, but a very powerful way to reinforce key training concepts. This package helps you step by step plan, build and implement a successful phishing assessment program, including several templates, said Spitzner.
CSO spoke with Spitzner about using the metric tools.
CSO: What was the mission in creating these metric-gathering tools?
Spitzner: The tools were developed out of need by the security awareness community. I run a private mail list of about 200 professionals who are all involved in, or lead the security awareness program for their organization. People post what they are looking for, and then, we as a group develop resources that help solve that problem.
One of the first challenges we solved was creating the Security Awareness Maturity Model that helps identify how mature your awareness program is and then how you want to build on that. As a group we then developed the Security Awareness Roadmap that explains in detail how to reach each maturity level. There was a repeated request and need for metrics.
What are the challenges of using security awareness metrics?
As always there are several challenges with metrics, security awareness metrics are no different. A couple of points to keep in mind:
This is one of the reasons we developed the security awareness metrics matrix, it has a list of over 15 metrics organizations can choose from, depending on which metric has the most value to them.