SMotW #26: security awareness level

Information security awareness is an essential preventive, detective and corrective security control in its own right, as well as supporting many other forms of control.

Employees clearly have to know about their security obligations imposed by policies, standards, procedures, laws, regulations, contracts, agreements and ethics, and it helps security immensely if they are sufficiently motivated to comply willingly. 

Security-aware employees are more likely to recognize social engineering attacks, malware infections, dubious requests, dubious websites, errors and omissions, bugs, system/network/process failures, plus other information security risks and incidents.  Furthermore, they are more likely to know what to do, how to avoid being compromised, when and how to seek help, and how to report incidents in progress. 

Security awareness levels can be measured using:
  • Awareness surveys, perhaps conducted like customer satisfaction surveys or marketing surveys either in person (try surveying employees who have time to participate, for example over coffee or waiting in line for lunch) or via email or phone or TXT or ... take your pick; 

  • Web-based quizzes and tests designed to check recall and comprehension of information security messages, obligations, requirements, risks, controls etc. (lots of possibilities here!);

  • Tests embedded in Learning Management Systems (most have the facilities); 

  • Feedback forms, for example to gather comments after security meetings or events (give people the opportunity to raise questions and make improvement suggestions in free text, as well as commenting specifically on the events, and don't forget to follow-up with any distinctly negative, cynical, positive or creative responses).
We gave the security awareness metric the following PRAGMATIC score:

P
R
A
G
M
A
T
I
C
Score
86
89
86
82
85
80
69
48
75
78%




It does quite well on most criteria, aside from Independence on the assumption that the people most likely to design and conduct the surveys etc. are the very ones with most to lose or gain from the metric.  Of course, that's not necessarily true.  The Independence rating could be improved if, for instance, someone from the Marketing function with professional experience in surveys and statistics were to help design the metric.  [That's another simple example of using the PRAGMATIC approach to drive improvements in the metrics.]

The Cost value is quite high given the resources needed to design and conduct statistically valid and useful surveys etc.  We justify the 75% rating on the basis that (a) there are substantial business and security benefits to the metric (remember: the rating is actually about net value, not purely the cost); (b) some forms of awareness measurement are inherently low-cost, especially if the information is already being gathered routinely for other purposes (there's a specific example in the book). 

Tip: do you have an “Information Security 101” introductory briefing, orientation/induction session and/or awareness goody-pack for new  employees, to explain the basics and bring them up to speed on information security?  If so, why not mention the security metrics, especially if you have a special version of the pack for new managers.