This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
|Creating a Security Culture|
Awareness is all about continued exposure. Al Decker and Rebecca Whitener from the IT services firm EDS have compiled the following list of methods for working security into your employees' everyday lives:
Now that you've put your users through security boot camp, how can you measure the effectiveness of their training? Measurements are indicators that your users are paying attention: How many are accessing the security awareness Web site or clicking on the e-mail link to download the monthly newsletter? Whether you're using a prepackaged metrics program or designing your own, choose your yardsticks to assess their effectiveness before you start.
More direct measurements typically start with the number of users who have taken the security awareness training, and the average score on the end-of-class test and ongoing training exams. The real metric though, is how training is impacting security; the number of monthly help desk calls is a good indicator. But, don't be fooled — having more calls is a good sign: It means your users are being more vigilant about security and are using their training in everyday practices. The cost of the help desk calls will be offset by flagging issues early, before they impact your bottom line.
Use your tools: If you have a good software inventory tool, track the number of workstations that has unapproved software installed. By reinforcing with awareness training the nature of this threat, the number of noncompliant desktops will decrease dramatically. Once you have selected your metrics, implement them as soon as possible, even before your awareness program kicks off. Measuring your program's effectiveness requires that you know the previous state of awareness in your organization. By establishing a baseline for the metrics you want to measure, you'll have the data necessary to get a true picture of how well things are going right from the start. Battle Ready
Awareness programs are long-term security strategies. The most effective thing you can do to help your program succeed is to work within your existing corporate culture to change it from the inside. Choose the training delivery methods and marketing campaigns that complement the way your employees live their daily corporate lives, or they'll reject your lessons out of hand. Similarly, don't try to teach too much at once. Through careful planning of your training strategy and by choosing metrics that integrate well with your existing processes, you can ensure that your organization — and your users — are ready for the battle ahead.
This was first published in July 2005