Information Security Awareness, Training and Motivation — Native Intelligence, Inc.

You are here:  Home > Awareness Programs > Measure What Matters - Part 3

Continued from Part 2

Recommend this article:   Add to your del.icio.us    Digg This   Slashdot   GotNews   StumbledUpon   Reddit

Measure What Matters - Part 3

What Information Do We Need?

One of the right questions is, "What's the greatest threat to security at your organization?"

Did you know?Internal user behavior (accidental or intentional) results in nearly 80% of information security incidents.

If this is true for your organization, then what should your security awareness metrics measure?
Internal user activities.

As much as possible, metrics should be related to a business function.

When do managers care if employees know more about information security?
When it reduces the cost of operations.

The objective should be to measure user behaviors that are a part of normal business operations.

To do this, you'll need a baseline and a target.

1. Baseline

A baseline documents the level of awareness among employees:

  • Within your industry - a baseline may be available from surveys of your industry, such as the annual global security surveys performed by Deloitte Touche Tohmatsu and Ernst & Young for the financial industry. Also, PentaSafe and the Human Firewall Organization conducted a survey in 2002 that resulted in a Security Awareness Index (SAI) Report* where 583 organizations in 45 countries and a variety of industries were surveyed about their: security awareness practices, security policies, education, training, compliance, threats, and acceptable behavior. The survey responses were used to assign a number, called the SAI, that correlated to the awareness of the end users in their organization.

    * "2002 Security Awareness Index Report - The State of Security Awareness Among Organizations Worldwide"

  • In your organization - the baseline should document:

    • How staff perceive security at your organization
    • Specific behaviors that affect information security at your organization

Information for the baseline can be gathered from surveys, by observation, from software, from audits, from specific security tests, and from help desk reports.

How Staff Perceive Security

Questions that address staff perceptions of information security in your organization might include:

  • Does security help people work by ensuring that assets are available when needed?
  • Are the organization's security policies credible?
  • Are good security behaviors rewarded?
  • Are there real consequences for risky behaviors?

Specific Security Behaviors

Security behaviors that affect your organization include:

  • Whether or not staff recognize specific security concerns. For example, given a number of scenarios, which will staff recognize as ones that should raise a red flag?

    • Leaving a workstation logged in to an application that contains personal information while going to another office to retrieve a fax.
    • Going on vacation without leaving the password to an application with the supervisor so that the temporary worker can get started right away while the worker is out of the office.
    • Responding to a call from someone at the help desk who says that as part of a network upgrade the employee's account log on information will be overwritten, and the help desk technician need's the employee's name and password so that she can re-enable the account after the upgrade.
  • What staff will do in response to security scenarios

Once you've established a baseline of user perceptions and behaviors, track changes over time as your program progresses. This lets you know what's working and what needs to be changed.

2. Target (G*Q*M)

Start with a goal, then ask the question, and then develop the metric. Victor Basili at University of Maryland developed an approach to metrics called GQM, or Goal, Question, Metric. He teaches these steps:

  1. Start with a GOAL
  2. Then find a QUESTION that will tell whether or not you're meeting the goal
  3. Then, and only then, look for a METRIC that will support the goal.

The metric is developed last, not first.

For example, if your goal is: Decrease inappropriate Web site visits.

The question is: Are people continuing to visit Web sites that they shouldn't?

The Metric is: The number of attempts to access unauthorized Web site content (such as illegal or pornographic material).

This data can be extracted from Web filtering products. This is an automated metric - it's easy to collect, and it shows what the computer users are doing.

Continue to Part 4

Security Awareness Metrics: Measure What Matters
Article by K Rudolph, CISSP © Native Intelligence, Inc.    All rights reserved.

You are here:  Home > Awareness Programs >Measure What Matters - Part 3