SANS recently released tools for measuring security awareness behavior changes. Assuming a security-awareness training program is ongoing, how often should behavior be assessed, and how do we establish realistic goals?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
SANS now offers a variety of resources, including free project plans, user surveys and implementation checklists, via its website, Securingthehuman.org. The SANS tools are an excellent source for building and measuring information security awareness in an organization.
The key to a successful training program is a combination of content and reinforcement. Each training program should be customized to a specific target audience. Employees who work in public areas may, for instance, need to concentrate more on social engineering, while those who work in an office setting may need more concentration around email security. This will direct goal creation and the timing and frequency of educational sessions. You should begin by assessing your target audience and developing realistic goals that improve over time. It is easy to set yourself up for failure if you aim too high on goals that change employee behavior, such as resistance to phishing attacks or social engineering. An example would be to reduce the number of employees who fall victim to a social engineering attack by 30%.
The SANS tools have different recommendations for each metric that are a good starting point, but don't feel constrained by these timeframes. Increase the amount of training in areas that turn out to be weak in your organization. For example, increase password audits if the assessment provides evidence that users are not using strong passwords, and decrease education on wearing physical identification if the assessment shows that employees wear their badges. This would hold true for other metrics as well, such as secure desktop, data wiping, sensitive data and infected computers. Customizing the education based on solid assessment data will help make your awareness program more successful by setting realistic goals and focusing on areas that need the most improvement.
Dig deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Joseph Granneman, Security Management
An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best ...continue reading
The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one ...continue reading
Security staffing can be tricky, but talent can be found in unconventional places. Expert Joseph Granneman explains the pros and cons of hiring data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.