Measuring Security Awareness in Your Organization

By Steve Kahan

Information Security’s ability to educate and empower employees in their risk management responsibilities is a fundamental element of any business protection strategy. If employees in your company think IT Security is the owner of all security related business risk, you’re in big trouble.

IT Security pros are paid to understand the range and depth of risks confronting the business, to build strategies to mitigate them, and to educate our constituents on their responsibilities. Therefore, employee awareness is a fundamental element in every security risk mitigation strategy. If you expect key individuals and groups to conform to policy and procedures, you must use focused communication to ensure that they are aware of those requirements.

Your unique knowledge and perspective on business risk is the raw material you can use to design your mix of products and services. The challenge is to determine what risk management knowledge has to be passed on to whom. Seek out advice from your company marketing and communication departments. They can point your messages in highly productive directions. Security awareness is measurable. Actionable measures and metrics for risk awareness may be derived from a variety of sources such as:

  • Risk assessment findings provide qualitative data that needs to be fed back to appropriate business units to make them more aware of their accountability.
  • Risk events and profiles identify unmanaged exposures that need to be communicated. You can determine the absence or degree of measurable improvement in conformance to policies by conducting follow-up testing of your awareness initiatives to see how well the messages got across.
  • Formal feedback surveys and interviews can identify the level of security awareness within targeted populations. A useful technique is to use the corporate intranet to quiz users and engage in random polling on risk or procedural responsibilities.
  • Incident postmortems, lessons learned, and victim interviews provide a rich source of information on gaps in security awareness.
  • Security department customer satisfaction surveys can ask how well respondents understand Security’s messaging and how effective the communication media is.

How are you measuring the success of your Security Awareness training today? You’ll never be able to measure the awareness of your security policies around your privileged account passwords if you don’t have those policies in place. Get a free copy of best practice security policies now.

Source:: Thycotic