Measuring the Effectiveness of Your Security Awareness Program
Organizations that maximize the efficacy of their security awareness programs may receive many benefits.
Wed, February 12, 2014
CSO — As Yogi Berra put it, "If you don't know where you're going, you'll end up someplace else." Do you know where you're going with respect to your privacy and security awareness programs? How will you know when--or if--you get there?
"But wait just a minute," you object. "Everyone knows that security is a process, not a destination. Is there really any such thing as arriving?" Well, of course there is. Just because a process is dynamic doesn't mean it's left without any measurable aspects. Besides, if any process is to be improved, it must also be measured.
There are many benefits an organization will enjoy when it makes those improvements, not the least of which is the budget justification for creating a security awareness program that help will boost security effectiveness overall. Martin Sadler, Director of Security at HP Labs, summed them up thusly: "Organizations that have achieved a high level of security effectiveness are better able to identify major data breaches, secure confidential information, limit physical access to data storage devices, and achieve compliance with legal and self-regulatory frameworks. They are also in a better position to attract and retain high-quality security personnel and enforce corporate policies."
Those benefits have ripple effects throughout the organization--benefits that span protecting the company reputation to increasing customer trust and loyalty. And those translate directly to the bottom line.
Granted, measuring security effectiveness is not as straightforward as measuring a manufacturing process. There are many variables that are simply outside of one's direct control. In fact, a recent ISACA report conceded, "...security is contextual and not an isolated discipline; it depends on the organization and its operations. Furthermore, effective security must take into account the dynamically changing risk environment within which most organizations are expected to survive and thrive." All the more reason that improvements be addressed wherever possible!
In any case, this variability may explain the disparity of results Dr. Kenneth Knapp discovered when he investigated the effectiveness of security programs. He found that while the majority of infosec professionals surveyed believed they were able to secure their information effectively, only 22 percent of them believed so with a high degree of confidence.
Moreover, the survey showed that more than a third did not believe that their organization effectively secures its data. And this is likely understated. Sounds like room for improvement.