Useful and legitimate metrics have long evaded the information security community as a whole. Without proper metrics, you cannot truly prove the value of a security program. This makes it difficult to justify increasing the budget and even maintaining the budget that you have.
Security awareness is especially vulnerable to criticism of its value. We take for granted all of the times we do not click on a phishing email or exercise good judgment. It is also hard to know all of the incidents that were prevented, because there was no vulnerability to be exploited.
Even with the best awareness program in place, as with all security countermeasures, there will be failures, and it will be easy to point to the cost of the failures. So it is essentially impossible to prove all of the losses your security awareness program prevented and the money that you saved, while the failures make themselves apparent. For that reason, it is important to determine how to measure improvements in security awareness and the savings generated by those improvements.
As our past articles stress, it is critical to understand the difference between awareness and training. Training provides a fixed body of knowledge, while awareness intends to change behaviors. While knowledge must be imparted on the students with awareness, the knowledge is irrelevant if it does not result in the desired behaviors. With training, as long as the fixed body of knowledge was provided and sometimes the students pass a test regurgitating basic knowledge, the training is considered successful.
The most common metrics associated with security awareness do not help justifying security awareness efforts. The most common metric is simply whether or not a person took a mandatory computer-based training (CBT) course. Completing a mandatory course of varying time and quality does not do much to actually demonstrate whether or not the students understand the materials, and more importantly, put the training into practice by changing their behaviors. It does however account for compliance requirements, which generally say that an organization must provide awareness training, without regards to effectiveness or results. This is not to say that CBT is ineffective or should not be a part of an awareness program the metrics associated with the training do not represent an actual improvement with awareness.
Then there are attack simulations, which inherently provide metrics. Such simulations include phishing simulations, USB drops, and Social Engineering simulations. However, just seeing a reduced rate of "success" might not tell you as much as you think. For example, even if you get 0 clicks on a phishing simulation, it has limited use if the users just know not to click on a very basic pretext. There is a broad range of attack sophistications, and simulation results only apply to the specific pretext(s) used.
Sign up for CIO Asia eNewsletters.