The only man I know who behaves sensibly is my tailor; he takes my measurements anew each time he sees me. The rest go on with their old measurements and expect me to fit them.
— George Bernard Shaw
What People Say About Our Courses
I have been concerned about computer security, but overwhelmed by the amount of information out there. This course was extremely useful to me and I learned several new things that I can use at work. This course is also the best that I've taken on-line to date. Excellent.
One accurate measurement is worth 1,000 expert opinions. — Admiral Grace Hopper
Take Away — The most important aspects of effective security awareness metrics are:
You can't manage what you can't measure.
Measure what matters.
Would you want your doctor to look at you and say, "I've seen a lot of patients, and you don't look like you have high blood pressure?" or would you rather have the doctor actually measure your blood pressure? With a measurement, you'll know that you either don't have high blood pressure, or you do, and should get treatment. In the same way, it's better to measure the status of your Security Awareness Program than to guess. Measurements help us identify and correct problems. Expert opinions aren't always as accurate.
Experts once insisted that the world was flat. Copernicus' theory that the earth revolved around the sun rocked two thousand years of scientific tradition. He used measurement and mathematics to prove that everyone, including the experts, had it wrong.
In 1952, Walter Cronkite used the UNIVAC 2 computer to predict the outcome of the presidential election. Early in the evening, based on input of the first returns, the computer predicted a landslide for Eisenhower. Walter Cronkite refused to report these results because he did not find them credible. Some people went as far as to suggest that they reprogram the computer to provide a different result. In the end, Eisenhower did win by a landslide, which led some to remark that the problem with computers is people.
This relates to security awareness because security awareness is a "people" problem. The best technical controls are worthless if your insiders aren't making secure behaviors a habit.
Security Awareness and Culture Defined
When we talk about information security awareness, the two basic questions we need to answer about each person who interacts with our information systems or data are:
Would the person recognize a security problem?
Would he or she know what to do about it?
These questions are at the heart of all security awareness initiatives.
Definitions
Awareness is the individual's understanding that security is important and that he or she has a role in securing information and information technology.
Culture is the instinctive behavior of individuals within an organization.
Metrics Are Tools To
Measure progress toward goals
Raise awareness
Show compliance with regulations
Communicate priorities
Aid in decision making
Dr. Gary Hinson has an analogy about security being like the brakes in car. Brakes slow you down, but they also make it possible for you to go much faster.
A good security awareness metrics program is similar to car brakes. It takes time to set the program up, but once you have it established and working well, it can save you time in the long run by making your program more effective.
Metrics aid in decision making. Without a solid metrics program it's difficult to know if what you're doing is effective. You won't know whether to spend more money on doing the same thing, or whether to better use those resources by putting them elsewhere.
As with any tool, it's important to know how to use metrics. Metrics are best used to compare measurements over time to a baseline.
Would you want your doctor to look at you and say, "I've seen a lot of patients, and you don't look like you have high blood pressure?" or would you rather have the doctor actually measure your blood pressure? With a measurement, you'll know that you either don't have high blood pressure, or you do, and should get treatment. In the same way, it's better to measure the status of your Security Awareness Program than to guess. Measurements help us identify and correct problems. Expert opinions aren't always as accurate.
Metrics Are Tools To