How to Measure the Success of Your Security Awareness Program

Depending on the size and needs of your organization, a security awareness program usually equals a significant investment of time and funds. However, a program that is properly designed will assist in helping to reduce the number of security incidents affecting your environment. Since this is such a valuable tool, how can an organization determine if the plan they’ve “purchased” is working?

As always, we need to gather data to see how we’re doing. What should we be looking at?

This article will discuss options for obtaining the needed information and how you can use that data to further refine your awareness program.

Create a System for the Reporting and Resolution of Incidents

With any security program, one of the first items that should be in place is a notification system or process where employees can report incidents. Perhaps your organization already has this in place as part of your help desk functions or first-tier technical support.

It would be beneficial if this team is using a searchable database to log all reported issues in the form of work tickets. This database should also allow exports of data and be able to search according to incident type, date range, number of occurrences, severity, total amount of incidents opened and closed and length of time it took to close (in days and hours).

Security Incident Types

Logging the incident type is very important, as this will allow you to measure different aspects of your awareness program and help you understand where your training may need to be tweaked. Below are some examples of incident types that can be used for this purpose.

• Phishing: This will serve to log any attempts to lure your employees to malicious sites or request confidential information via email
• Credential compromise: In the event any account password (Read more...)