Blog: SANS Securing The Human: Category - Security Awareness Metrics

Blog: SANS Securing The Human:

Security Awareness Survey Update

Folks, as some of you know in October for National Cyber Security Awareness Month we released the first ever Security Awareness Survey for Security Awareness Officers. Over 200 people responded, which was an amazing number. We had hoped to release the results of the survey this week but have ran into two challenges, to be honest both are good problems to have.

  • We received far more information then we expected. We really want to be sure we take our time and digest/analyze this information correctly and present it in a useful and easy to use format for security awareness officers around the world.

  • Bob Rudis from the infamous Verizon DBIR team volunteered to help analyze this rich source of information. We wanted to give Bob time to work his magic.

So, while the survey results will be later then we hoped, we like to think they will be well worth the wait. Stay tuned :)


Poster from Ft. Meade Alliance on Need For Employee Cyber Training

The folks from the Ft. Meade Alliance have posted both an interesting blog post and infographic on the Defense Department's approach and need for employee cyber security training, and how that compares to the civilian world. Long story short, looks like the military folks may be ahead of the game compared to corporate world. You can find more about the blog post and their poster at


Start With Simplest Behaviors First

A common challenge I run into when helping others build a security awareness program is trying to decide on what human risks to focus on. You only have so much time and resources to communicate to others, and people can only remember so much. If you can only change 10 behaviors this year, which 10 are you going to change? I've seen awareness programs fail because organizations never took the time to prioritize their human risks/behaviors and as a result overwhelmed people with a huge laundry list of random do's and don'ts.

One of the interesting things I learned from Dr. Fogg and his behavior model is that different behaviors have different levels of difficulty. Some behaviors will be easy to change and some will be hard. While this sounds intuitive, his model helps you understand why this is the case. One take away for me was this. Once you identify the top behaviors you want to change, focus on the easiest ones first. Some


Technical Guidance on Phishing Assessments

Several weeks ago we released thePhishing Planning Kit, a resource to help organizations plan and maintain an effective phishing assessment program. This kit is based on the suggestions, lessons learned and feedback from numerous security awareness officers who are actively leading their own phishing assessment programs. The reason we released the kit is that most organizations that have problems with their phishing assessment is not due to technical issues but how they failed to properly communicate and execute it.

EJ recently asked for some technical questions on rolling out his phishing program (see the comments in the Phishing Planning Kit post), and I wanted to take a moment to answer his questions. First, the simplest way to address most of your technical issues is to use a phishing service. There are many to choose from and all are similar and good, including


Guest Post - Measuring Human Risk - #SecAwareSummit

Editor's Note: This is a guest Blog Post from Dan deBeaubien. Below is a description of his upcoming talk on "Measuring Human Risk - What is Your Security Score" at theSecurity Awareness Summit 10 Sep in Dallas.

Assuming that we know what to do in a given circumstance related to cyber security - install a firewall, do an audit, train our staff, whatever, and, also assuming that many resources abound to address these situations as they arise, the emergent issue is often where to start. We can't do everything, everywhere - we need to know where to begin, and where to go next. In my role at Michigan Tech, and working closely