Measuring the Impact of a Security Awareness Program
Our goal in building a security awareness program is to embed security into our partners' existing organizational culture. Impacting culture is a long-term process that can take years and requires executive support. If you are tasked with managing a security awareness program, it is your job to measure and show leadership that your program is making an impact; however, measuring the impact of a security awareness program is difficult. This is in part due to the challenge of assigning metrics to human behavior. If incidents are not detected, how do you measure something that is not happening? How do you measure the risk of a threat that is constantly adapting?
Identifying Key Metrics
Partners will typically ask, “Which metrics should we measure?” While the intent is correct, this is the wrong question. It is essential to begin this process by first identifying the key risks in your organization and then identifying the human behaviors and their associated metrics that manage those risks.
As an example, we will assume data exfiltration is a critical risk to an organization. The first step is to identify the probability and impact of this risk and take into consideration existing technical and business controls. Your IT team may have already implemented Data Loss Prevention (DLP) controls to mitigate the risk of data exfiltration, but do these controls cover all avenues of exfiltration? The DLP solution may prevent a sensitive document from being emailed, but will it prevent an employee from inadvertently leaving a printed copy on their desk within public view? Will it prevent an employee from throwing a printed copy away without shredding? Will it prevent an employee from divulging sensitive information over the phone in a social engineering attack? Will it prevent an unencrypted device containing sensitive information from being lost?
Measuring the human behavior and associated controls in the above example could be accomplished with key metrics such as:
- Clean Desk – Number of employees who remove all sensitive materials when leaving their workstation
- Dumpster Diving Results — Number of sensitive documents found in the trash
- Vishing Assessments – Number of employees who can identify a social engineering attack over the phone
- Lost or Stolen Devices – Number of devices that were reported lost or stolen
- Encrypted Endpoints – Number of portable devices that are encrypted
Many organizations will only perform phishing assessments to identify the number of people who click on a malicious link or open an attachment and while these are important metrics, it is essential to go beyond phishing assessments when measuring a security awareness program.
Gather Support to Brainstorm Risks, Initiatives, and Metrics
Embedding security into the organizational culture is a difficult process that cannot be accomplished only by the Information Security team. Gather support by establishing an advisory board of personnel throughout all departments and levels of the organization. Ensure all appointed members are motivated volunteers and that the board understands the importance of establishing a secure culture. Ask the board which risks their department is most concerned with and discuss current security awareness initiatives, metrics, and methods for improving the overall security awareness program.
Reporting Metrics to Executive Leadership
Leadership talks in metrics, so it is crucial to communicate the value the security awareness program provides by reporting the most useful metrics. Your program may be tracking numerous metrics, but focusing on several will give leadership the most insight and value. It may be beneficial to document which metrics are being gathered, provide context of why and how they are being gathered, and ask your leadership which metrics are important to them and how you can make them more useful.
The value of metrics comes from how the metric trends over time rather than individual snapshots of a single point in time. Due to this, it is recommended to gather metrics for several months before presenting them to your leadership team.
Remember, the security awareness program will fail without executive leadership's support.