One accurate measurement is worth 1,000 expert opinions. — Admiral Grace Hopper
Take Away — The most important aspects of effective security awareness metrics are:
Would you want your doctor to look at you and say, "I've seen a lot of patients, and you don't look like you have high blood pressure?" or would you rather have the doctor actually measure your blood pressure? With a measurement, you'll know that you either don't have high blood pressure, or you do, and should get treatment. In the same way, it's better to measure the status of your Security Awareness Program than to guess. Measurements help us identify and correct problems. Expert opinions aren't always as accurate.
Experts once insisted that the world was flat. Copernicus' theory that the earth revolved around the sun rocked two thousand years of scientific tradition. He used measurement and mathematics to prove that everyone, including the experts, had it wrong.
In 1952, Walter Cronkite used the UNIVAC 2 computer to predict the outcome of the presidential election. Early in the evening, based on input of the first returns, the computer predicted a landslide for Eisenhower. Walter Cronkite refused to report these results because he did not find them credible. Some people went as far as to suggest that they reprogram the computer to provide a different result. In the end, Eisenhower did win by a landslide, which led some to remark that the problem with computers is people.
This relates to security awareness because security awareness is a "people" problem. The best technical controls are worthless if your insiders aren't making secure behaviors a habit.
When we talk about information security awareness, the two basic questions we need to answer about each person who interacts with our information systems or data are:
These questions are at the heart of all security awareness initiatives.
Awareness is the individual's understanding that security is important and that he or she has a role in securing information and information technology.
Culture is the instinctive behavior of individuals within an organization.
Dr. Gary Hinson has an analogy about security being like the brakes in car. Brakes slow you down, but they also make it possible for you to go much faster.
A good security awareness metrics program is similar to car brakes. It takes time to set the program up, but once you have it established and working well, it can save you time in the long run by making your program more effective.
Metrics aid in decision making. Without a solid metrics program it's difficult to know if what you're doing is effective. You won't know whether to spend more money on doing the same thing, or whether to better use those resources by putting them elsewhere.
As with any tool, it's important to know how to use metrics. Metrics are best used to compare measurements over time to a baseline.
Security Awareness Metrics: Measure What Matters
Article by K Rudolph, CISSP © Native Intelligence, Inc. All rights reserved.