Using security metrics to measure human awareness

Free tools offer security practitioners a way to measure the effectiveness of awareness programs

By , Executive Editor, Online

November 05, 2012CSO

It's been said that security is hard to measure. Producing measurable results around a lack of problems or incidents is challenging. But the field of security metrics has evolved considerably in recent years, giving security managers more resources to make the case for investing in security programs and technologies.

Now the SANS Institute, through their Securing the Human Program, is offering a set of free metric tools designed to give security leaders the ability to track and measure the impact of their own security awareness programs.


[Security Metrics: Critical Issues]


According to Lance Spitzner, training director for the program, the tools can be used to improve training, demonstrate return on investment, or compare an organizations human risk to other organizations in an industry. All resources are free, developed by the community for the community, said Spitzer.

The tools include:
Metrics Matrix — A spreadsheet that identifies and documents different options for measuring a security awareness program. It includes metrics for both measuring impact (change in behavior) and for tracking compliance.

Measuring Human Risk Survey — The newest addition to the tools that is still in development, the twenty-five question survey helps determine the human risk in an organization. Each question and its respective answers have different levels of risk associated with them. Depending on how employees respond, answers can be totaled to determine a quantitative value of your human risk.

Phishing Assessments Planning Package — Phishing assessments are not only a simple and effective way to measure the impact of your awareness program, but a very powerful way to reinforce key training concepts. This package helps you step by step plan, build and implement a successful phishing assessment program, including several templates, said Spitzer.

CSO spoke with Spitzer about using the metric tools.

CSO: What was the mission in creating these metric-gathering tools?
Spitzer: The tools were developed out of need by the security awareness community. I run a private mail list of about 200 professionals who are all involved in, or lead the security awareness program for their organization. People post what they are looking for, and then, we as a group develop resources that help solve that problem.

One of the first challenges we solved was creating the Security Awareness Maturity Model that helps identify how mature your awareness program is and then how you want to build on that. As a group we then developed the Security Awareness Roadmap that explains in detail how to reach each maturity level. There was a repeated request and need for metrics.

RESOURCE CENTER