Another key component of successful metrics gathering is collecting metrics proactively, before beginning an awareness effort. Only by collecting Day 0 metrics can you know whether or not your program had an impact. While it is ideal to see that your results are increasing the desired behaviors, it is just as important to know when you are not. Only in that case can you know that you have to improve, and get directions on how to do so.
Making it Tangible
Assuming that you are getting the desired results, the next step is to attempt to put a cost savings on the effort. This requires estimating the incidents that are prevented, along with the associated costs. For example, if you estimate that you reduced network malware (a tangible symptom of phishing) by 5 incidents per month and estimate that each incident costs $10,000, you can claim to save your organization $50,000 per month. This is more complicated than it is described, but the underlying principle is something that should be applied in every security discipline, not just awareness.
Security is about cost-effectively mitigating risks, not preventing all compromises. This is especially true with security awareness. Whenever you are dealing with people, there will always be a security related loss. Good security awareness programs will save an organization exponentially more in reduced losses than they cost. Metrics will allow you to demonstrate this and prove the value of everything else that you do.
Sign up for CIO Asia eNewsletters.