SANS recently released tools for measuring security awareness behavior changes. Assuming a security-awareness training program is ongoing, how often should behavior be assessed, and how do we establish realistic goals?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
SANS now offers a variety of resources, including free project plans, user surveys and implementation checklists, via its website, Securingthehuman.org. The SANS tools are an excellent source for building and measuring information security awareness in an organization.
The key to a successful training program is a combination of content and reinforcement. Each training program should be customized to a specific target audience. Employees who work in public areas may, for instance, need to concentrate more on social engineering, while those who work in an office setting may need more concentration around email security. This will direct goal creation and the timing and frequency of educational sessions. You should begin by assessing your target audience and developing realistic goals that improve over time. It is easy to set yourself up for failure if you aim too high on goals that change employee behavior, such as resistance to phishing attacks or social engineering. An example would be to reduce the number of employees who fall victim to a social engineering attack by 30%.
The SANS tools have different recommendations for each metric that are a good starting point, but don't feel constrained by these timeframes. Increase the amount of training in areas that turn out to be weak in your organization. For example, increase password audits if the assessment provides evidence that users are not using strong passwords, and decrease education on wearing physical identification if the assessment shows that employees wear their badges. This would hold true for other metrics as well, such as secure desktop, data wiping, sensitive data and infected computers. Customizing the education based on solid assessment data will help make your awareness program more successful by setting realistic goals and focusing on areas that need the most improvement.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading