These are the metrics Ponemon applied when he developed his breakthrough Security Effectiveness Score, which, in its most compact version, evaluates 24 attributes (extrapolated from the six key dimensions described above) that consistently correlate with strong security postures. In short, the higher the score, the stronger the organization's security posture, the greater its ability to avoid a breach, and the lower the cost to mitigate a breach. In other words, an objective standard of measure for security effectiveness.
One of the most significant insights that resulted from the application of the tool is that of the 24 parameters considered, 75 percent of them are directly related to security-aware behaviors, not just information technology. And when specific employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.
More importantly, when correlating the scores to actual breach incidents, Ponemon's data (gleaned from the more than 7,000 security effectiveness score surveys he's collected) also demonstrates that when organizations spend a dollar on information security--and particularly on security awareness training--they get far more than a dollar's value in return. In other words, an ROI. Another reason to see how your organization measures up!
Lastly, ISACA points out in "Security Awareness: Best Practices to Secure Your Enterprise" that measurement not only reveals whether the awareness program is effective, but it can also help identify any knowledge gaps and ensure the improvement of the program overall. Surveys, interviews, pop quizzes, exams, and audits are a few of the more common assessment tools that can be used to measure progress.
A case in point is Western Union's approach to measuring the results of its security awareness program. Western Union's Kim Hickman explains, "Of course you always wonder if you're making an impact, if your efforts are paying off. So to gauge and quantify that we started conducting 20-question quizzes, sent to a different sampling of the employee population every month. We trend the scores over time to see if, as an organization, we're getting better. And we have seen improvement since we launched our new security course, with quiz scores now averaging 89%. It is definitely raising awareness and changing behavior."
Furthermore, Hickman also observes that the quizzes have the additional effect of reinforcing the security awareness information presented in their course. "We get a double benefit there," she says.
The bottom line? The very act of measuring actually also helps bring about the desired result!
Sign up for CIO Asia eNewsletters.