WIXLIB

Tracking securityawareness KPIsEffective tools for measuring security awarenessprogram impact, tracking workforce behavior &proving organizational valueinfosecinstitute.com/iq/

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecExecutive summaryHackers have leveraged security vulnerabilities asearly as the 1980s to break into networks and capturedata. Since that time, attacks have increased infrequency, reach and sophistication. Organizationshave answered this threat by investing in securitytechnologies, but a look at recent headlines showsthis effort is not enough. Using social engineeringtactics like phishing, hackers have learned tocircumvent security controls and access networksthrough unassuming, underprepared employees.A comprehensive approach to information securityis an organization’s best defense against securitythreats. This includes investments in securitytechnology and staff, security policy developmentand workforce security awareness training. Butlike all investments, we need to prove a positivereturn to management. In this paper, we review thevalue of security awareness training and suggestkey performance indicators (KPIs) to help youdemonstrate program value to stakeholders.Table of contentsSecurity awareness training:1Assessing security awareness training program success with KPIs2Selecting effective security metrics3Nine security awareness KPIs to track program impact4Conclusion5About Infosec IQ6infosecinstitute.com // 708.689.0131

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecSecurity awareness training:A powerful risk mitigation toolSecurity awareness training is a prerequisite for manyinternational security standards and regulations,including ISO 27000 series and PCI DSS. However,an effective security awareness program also addsconsiderable value to your organization’s securitystrategy. End point users are the weakest link in thecybersecurity chain; the human element is oftenthe primary cause of many severe data breachesthrough simple mistakes like downloading malwareto clicking links in phishing emails. By teaching yourworkforce how to detect cyber threats, they will bebetter equipped to prevent data breaches at yourorganization.According to Verizon’s 2018 Data BreachInvestigations Report, human error led to 27 percentof data breaches in 2017. Other findings include:»» 43 percent of all breaches leveraged socialattacks»» 93 percent of social incidents occurred due tophishing»» 28 percent of phishing breaches were targetedattacksCyber criminals have humanized their hackingmethods – and as the data shows, it’s working. Byexploiting common drivers of human behavior likeeagerness, distraction, curiosity and uncertainty,hackers can easily convince uninformed users toshare sensitive data or install malware. With somany security risks stemming from human behavior,awareness training for your workforce can be aneffective tool in the prevention, detection and earlyreporting of security breaches.Like most investments, security awareness training isonly as good as the results it generates. It’s importantto objectively monitor the effectiveness and impact ofyour program through metric-based tracking. Beforelaunching your program, establish program KPIs incollaboration with your organization’s stakeholders.Defining training program success – and what metricsyou will use to define it – will align program objectiveswith business strategies. This will ensure continuedsupport and funding for your future training programinitiatives.»» 51 percent of all breaches included malware»» 66 percent of malware was installed throughemail attachmentsinfosecinstitute.com // 708.689.01311

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecAssessing security awarenesstraining program success with KPIsSecurity awareness KPIs will help you measure theeffectiveness of your training program, identify gapsand drive change. Select measurable, meaningful andeasy-to-understand KPIs that align with the goals ofthe organization and legislation. All KPIs should beeasy to implement and inexpensive to track – with afinite budget and resource pool, it’s important yourmanagement process is not burdensome.Once KPIs are selected, define how to use them tocreate meaningful performance scorecards that tell astory. It’s helpful to define acceptable ranges for KPIs,as well as milestones to reach and “tripwires” to triggeraction when needed. Some KPIs measure quantitativeitems (e.g., phishing rates); others can look at lesstangible indicators like risk ratings and surveys.There are three compelling reasons to track program impact with KPIs:You can’t manage what you cannot measure.In order to better administer the security awareness program and justify its cost, find a good, objectivemethod to verify its effectiveness. Measurable results prompt acceptance, support investments and justifychange implementation when needed.Track workforce behavioral changes overtime.KPIs can help demonstrate how the program is affecting user behavior. Program effectiveness can bemeasured by capturing data on changes in the way people react to threats, such as the ability to recognizeand avoid phishing attempts.Prove value from training.Budget for training expenditures must be justified to management. Getting funding for security technologyis relatively simple -- antivirus software is clearly effective in stakeholders’ minds – but securing funding forsecurity awareness training is often more challenging. Having an evaluation plan and KPIs in place prior toprogram launch will help gain management buy-in and financial support.Select measurable, meaningful andeasy-to-understand KPIs that align with thegoals of the organization and legislation.infosecinstitute.com // 708.689.01312

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecGetting started:Selecting effective security metricsDepending on your program’s objective, your choice of KPIs will vary. As noted in the NIST publication CyberSecurity Metrics and Measures, “effective security metrics identify weaknesses, determine trends to betterutilize security resources and judge the success or failure of implemented security solutions.” Whatever KPIs youselect, make sure they help you answer key questions, both from a program management perspective and fromorganizational stakeholders. These may include:Is your security awareness programreducing operation costs?How is your security awareness programhelping mitigate security risks?How is your security awareness programchanging workforce behavior?infosecinstitute.com // 708.689.01313

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecNine security awareness KPIs totrack program impactOnce you’ve identified the questions your KPIs mustaddress, it’s time to select your program KPIs. Hereare nine indicators to help you evaluate and measuresecurity awareness at your organization.1. Policy acknowledgment: Every securityawareness program should, at minimum,communicate security policy requirementsto staff. Tracking employee policyacknowledgments will ensure your workforce isaware of the policy, and helps the organizationmeet compliance requirements.2. Phishing rate: You can measure phishing ratesthrough phishing simulation programs that tracklearners’ abilities to detect and avoid phishingemails. A reduction in phishing rate overtimeproves increased awareness of security threats.3. Attack detection: Track this metric by recordingthe amount of hacking attempts detected andreported to your security team. Some securityawareness programs include an email pluginthat allows your staff to report suspicious emailsand attachments, which can help inform this KPI.4. Self-reported incidents: A quick response toa security incident can greatly reduce damagesfrom an attack. Your security awareness trainingshould teach your workforce what to do if theydownloaded a malicious file or clicked a phishingemail. While the goal of your program should beto help the workforce avoid attacks altogether,this metric will prove you have safeguards inplace in the event of a breach.6. Audit hits: This is the number of items flaggedfor correction during a security audit. Periodicinternal and external audits are a good way toevaluate your overall security strategy, includingawareness training.7. Program participation rates: Measuringprogram participation rates gives great insighton training quality and engagement. Simplydelivering awareness training will “check thebox” on a security audit, but will not help youdetermine workforce engagement. If yourprogram participation rates are low, considerchanging program content or delivery method toincrease engagement – and effectiveness.8. Security health: This KPI can be presented asan overall user behavior grade. To determinesecurity health, pick a sample of your workforceand monitor their technology use. Tracking thenumber of security infections on their machines,unauthorized downloads or browsing activitycan help gauge training retention. Assign weightto these behaviors to generate a meaningfulsecurity health score for monitoring changesover time.9. Cost of security breaches: For this KPI,specifically track the cost of incidents causedby human error. Include related costs, suchas those incurred through incident response(tech support, public relations, etc.) and lostproductivity. This is an interesting metric thatshows management a direct link betweenawareness and cost reduction.5. Number of security breaches: A reduction ofbreaches over time, especially those related tohuman error, is a good indicator of programsuccess.infosecinstitute.com // 708.689.01314

SecurityawarenesstrainingProgramsuccess withKPIsGetting startedTrack programimpactConclusionAbout InfosecConclusionSecurity awareness training KPIs can inform your program management process from development to evaluation.Selecting program KPIs that gauge program impact while linking outcomes to business objectives will help yousecure and maintain support for ongoing training initiatives. Security needs change constantly, and so should yourtraining program content. Having data-backed insights into your program’s effectiveness will allow you to makechanges as needed to mitigate security risks across your entire organization.Sources1. Cyber Security Metrics and Measures, NIST2. The Components of Top Security Awareness Programs, Infosec3. The Role of Scorecards and Dashboards in Performance Management, ThomasNet4. Infosec Book Excerpt: Security Metrics – Chapter 17, Infosec5. 10 Tips to Embed Positive Information Security Behaviors in Employees, CIO6. Security Awareness Metrics: Measure What Matters - Part 1, Native Intelligence7. Measuring Security Awareness Program Results, SANS8. Information Security Awareness Program – What is the Key to Make it a Success?, SecureReading9. New SmartKPIs.com Report Ranks the Top IT Security KPIs of 2011-2012, The KPI Institute10. Verizon’s 2018 Data Breach Investigations Report, Verizon11. Tabletop Exercises, Washington State Office of CyberSecurityinfosecinstitute.com // 708.689.01315