Security Metrics - Measure What Matters - Part 1

Security Metrics

How you answer these questions can shine a light on how effective your security awareness program is and should get you thinking about what security metrics matter.

  • Would your employees recognize a security incident?
  • Would they know what to do about it?

Studies have consistently shown that about 80% of security incidents stem from staff behavior. Many of these incidents involve errors and omissions, such as leaving a laptop computer that holds unprotected customer data in a taxi cab.

Effective security and privacy awareness training programs:

  • Focus on behaviors
  • Capture a baseline of staff knowledge, perceptions, and actions
  • Monitor and evaluate changes in specific security behaviors over time
  • Build security reflexes

Awareness Programs Build Security Reflexes

In the animal kingdom, awareness — being alert to danger signals and responding quickly — is the difference in survival. Bats and dolphins use sonar to detect and avoid dangers. Cats use whiskers and keen senses of hearing, smell, and night-vision to probe their environments. In the same way, people who have an awareness of danger signals are an organization's most valuable sensory instruments.

  •  Recognizing and correctly responding to security events should be a reflex for employees.
  •  Awareness programs and activities can build this reflex behavior.

Measure What Matters

One accurate measurement is worth 1,000 expert opinions. — Admiral Grace Hopper

Take Away — The most important aspects of effective security awareness metrics are:

  • You can't manage what you can't measure.
  • Measure what matters.

Measurements help us identify and correct problems.Would you want your doctor to look at you and say, "I've seen a lot of patients, and you don't look like you have high blood pressure?" or would you rather have the doctor actually measure your blood pressure? With a measurement, you'll know that you either don't have high blood pressure, or you do, and should get treatment. In the same way, it's better to measure the status of your Security Awareness Program than to guess. Measurements help us identify and correct problems. Expert opinions aren't always as accurate.

Experts once insisted that the world was flat. Copernicus' theory that the earth revolved around the sun rocked two thousand years of scientific tradition. He used measurement and mathematics to prove that everyone, including the experts, had it wrong.

In 1952, Walter Cronkite used the UNIVAC 2 computer to predict the outcome of the presidential election. Early in the evening, based on input of the first returns, the computer predicted a landslide for Eisenhower. Walter Cronkite refused to report these results because he did not find them credible. Some people went as far as to suggest that they reprogram the computer to provide a different result. In the end, Eisenhower did win by a landslide, which led some to remark that the problem with computers is people.

This relates to security awareness because security awareness is a "people" problem. The best technical controls are worthless if your insiders aren't making secure behaviors a habit. 

Security Awareness and Culture Defined

When we talk about information security awareness, the two basic questions we need to answer about each person who interacts with our information systems or data are:

    Would the person recognize a security problem?
    Would he or she know what to do about it?

These questions are at the heart of all security awareness initiatives.


Awareness is the individual's understanding that security is important and that he or she has a role in securing information and information technology.

Culture is the instinctive behavior of individuals within an organization.

Metrics are tools to:

  • Measure progress toward goals
  • Raise awareness
  • Show compliance with regulations
  • Communicate priorities
  • Aid in decision making

Dr. Gary Hinson has an analogy about security being like the brakes in car. Brakes slow you down, but they also make it possible for you to go much faster.

A good security awareness metrics program is similar to car brakes. It takes time to set the program up, but once you have it established and working well, it can save you time in the long run by making your program more effective.

Metrics aid in decision making. Without a solid metrics program it's difficult to know if what you're doing is effective. You won't know whether to spend more money on doing the same thing, or whether to better use those resources by putting them elsewhere.

As with any tool, it's important to know how to use metrics. Metrics are best used to compare measurements over time to a baseline.


This is the first part of a four-part series of articles:
Security Awareness Metrics: Measure What Matters

Part 2

Part 3

Part 4

Article by K Rudolph, CISSP © Native Intelligence, Inc.    All rights reserved.