Good Morning, I enjoyed taking this very information and useful course.
I learned new information. I especially liked the format and the interactive aspect as wells as being able to selectively see additional information, samples, etc.
For example, Chad Robinson of the Robert Frances Group recommends measuring:
Attempts to access unauthorized Web site content
Invalid login attempts
Storage of unauthorized file content (e.g., audio, video)
Unauthorized attempts to access controlled resources (e.g., VPN)
Disclosure of sensitive information
Data or intellectual property theft
Unauthorized use of administrator privileges
Examples from Gartner's "Metrics for Information Security Awareness" include:
Process Improvement
Percent of staff who know that the security policy exists
Percent who have seen or read the security policy
Percent of individuals tested on the policy (passing and failing)
Are internal and external security audits showing improvement?
Attack Resistance
Percent of surveyed individuals recognizing a security event scenario
Percent of surveyed or tested individuals susceptible to social engineering
Percent of users tested that revealed their password
Percent of administrators tested that failed an improper password change attempt
Percent of users activating a test virus
Efficiency / Effectiveness
Percent of security incidents having human behavior as a major factor
Internal Crunchiness
Percent of corporate software, partners, suppliers reviewed for security
Percent of critical data that is strongly protected
Percent of critical data not protected according to security standards
Percent of systems having malware installed / unapproved software installed
These are a good start to get us thinking in the right direction – measuring internal user behaviors.
Security Behaviors Can Be Classed as Good, Bad, or Ugly
Good Security Behavior complies with the letter and spirit of the law, e.g.,
not releasing non-public information inappropriately or discovering and reporting a security
vulnerability.
Bad Security Behavior includes naive mistakes and dangerous tinkering, such as:
Sharing a password
Deploying a wireless network gateway that allows
non-company personnel to use the company's network
Setting up a packet spoofing application to test the user's programming ability
Setting up a network monitoring scanner on the user's PC
Ugly Security Behavior is detrimental misuse or intentional destruction, such as:
Building a script that disables other users' terminal sessions
Forging e-mail header information to make it look like someone else sent a message
Using a file decryption program to discover contents of a file containing trade secrets or sensitive information
Intentionally introducing a Trojan horse program into the network
Choosing Metrics: Examples and Recommendations
Download a 4-page security awareness metrics handout that contains practical details for behavior-based security awareness metrics. This approach divides security behaviors into three categories: good, bad, and ugly. In addition to classifying security-related behaviors, the handout presents specific metrics that can be used and how the measurements may be collected.
Download a 4-page security awareness metrics handout that contains practical details for behavior-based security awareness metrics. This approach divides security behaviors into three categories: good, bad, and ugly. In addition to classifying security-related behaviors, the handout presents specific metrics that can be used and how the measurements may be collected.
