Blog

For a high-impact security awareness program to be effective, you need the ability to measure your awareness program. Security awareness metrics are something I have written about in the past. To help centralize your security awareness metrics planning I have created a metrics checklist. This matrix breaks down awareness metrics into two categories, those that measure the deployment of your program and those that measure the impact of your program. By deployment I mean things like who has taken the training or the different types of materials used, metrics important to auditors. By impact I mean measuring behavior change, metrics important to your

One of the challenges with creating a high-impact security awareness program is how do you reward good behavior? Obviously enforcement is important to any awareness program, but at some point we need to combine that with positive reinforcement. However this is not as simple as it seems, it turns out rewarding good behavior can have bad results.

For example, lets say you want to promote the reporting of incidents. You educate your employees the indicators of compromise and how to report them to your security team. To promote this, you decide you will give a free lunch to anyone who detects an infected computer. While at first this sounds good, in two weeks you will most likely have every employee surfing

Creating a security awareness program for compliance is simple. Creating an active, long term and engaging security awareness program that has an impact is hard. To help you and your organization with your security awareness program I updated the SANS Securing The Human Deployment kit. This is package has been completely updated with over 15 documents to help you build a high impact security awareness program, including an example stakeholder matrix, security awareness survey, policy template, marketing and communication templates, and execution plan and checklist. Many of these materials are based on

Creating a security awareness program so you are compliant is easy. Creating a security awareness program that changes behaviors and has an impact is hard. One of the challenges is how do you know when you are having an impact? Here are some metrics I've noticed - you know you are having an impact when ...

• You send out your monthly phishing assessment, and you get more emails from people asking if this is an assessment (i.e. they spotted the attack) then you do people actually falling victim.
• Employees get a real social engineering attack on the phone (Hi, this is tech support from Microsoft) and not only do your employees immediately figure it out that it is an attack and report

One of the challenges we have with security awareness is when you come down to it, awareness training and education can become boring over time. Yes there are steps you can take to make it exciting, and there are many things you can do to sexy training up, but how often do you have employees bragging about how good their security behaviors are? Or how often do you have employees researching on their own how they could be more secure? While that is not happening for most organizations, it is something gamification could possibly change.

Gamification (as defined at Wikipedia) is applying game and design techinques to non game applications to engage audiences. I'm not talking about creating security awareness related games, such as what Wombat folks did with their Anti-Phishing Phil game. I'm talking about taking the entire concept of security awareness