Blog: SANS Securing The Human: Category - Security Metrics

Blog: SANS Securing The Human:

Verizon DBIR - Great Action Items for Awareness Programs

I finished reviewing the new Verizon DBIR (Data Breach Investigations Report). I think this is their best yet. If you are unfamiliar with this report, its the most comprehensive analysis of what the bad guys are doing each year. This years analysis is based on data from 95 countries, 1,367 confirmed breaches and 63,437 incidents. There is some amazing content to help you better focus your awareness program, I recommend you download a copy and spend some time reading it. For a technical report, this is also surprisingly easy (and fun) to read. Below is what stood out for me from a security awareness / behavior change perspective.

  1. FIGURE 19: If you are short ...

Idea for Human Metrics - Tracking Updates

Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices.

The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the


Getting Support and Approval for Phishing Assessments

During my human metrics talk at RSA last month, a common question was how to get support for an internal phishing program. Phishing assessments are a powerful metric, not only do they measure a high human risk, but they are repeatable, quantifiable, actionable and low cost. This is why phishing has become one of the most common metrics within security awareness. In addition phishing is a powerful way to reinforce key human behaviors. When I first started in security awareness five years ago, phishing or any type of human assessments, were rare. Now a days, I would say roughly 30% of organizations I work with are doing some type of human assessments as part of their awareness program (surveys, phishing, checking on secured desktops


Top Five Most Popular Security Awareness Topics

At SANS Securing The Human we currently have over 40 topics in our security awareness training library. By breaking up our training into short modules organizations can select and use only the topics that directly apply to them. This enables organizations to create short, yet highly effective training. You can find descriptions and short video clips of all the training topics at our STH.EndUser Demo page. With over 800 customers now using this training library, we can begin to extract some very interesting statistics. One of the metrics we ran for 2013 is what topics, what human risks, are organizations most concerned about. As such, we identified the five most common topics used. In other


Verizon PCI Report - Nearly 70% of Data Breaches Started With the Human

Verizon recently released their 2014 PCI Compliance Report. As stated in the introduction:

"This research is based on quantitative data gathered by our qualified security assessors (QSAs) while performing baseline assessments on PCI DSS 2.0 compliance between 2011 and 2013. The companies that we assessed span many industries and countries."

One of the biggest findings? Humans were the cause of almost 70% of the breaches and that user behavior is an important factor in an organizations's overall security posture. These findings were recently confirmed with the recent Target compromise of over 100 million credit cards and identities.