Information Security Awareness, Training and Motivation — Native Intelligence, Inc.

Recommend this article:   Add to your    Digg This   Slashdot   GotNews   StumbledUpon   Reddit

Measure What Matters - Part 1

One accurate measurement is worth 1,000 expert opinions. — Admiral Grace Hopper

Take Away — The most important aspects of effective security awareness metrics are:

  1. You can't manage what you can't measure.
  2. Measure what matters.

Measurements help us identify and correct problems.Would you want your doctor to look at you and say, "I've seen a lot of patients, and you don't look like you have high blood pressure?" or would you rather have the doctor actually measure your blood pressure? With a measurement, you'll know that you either don't have high blood pressure, or you do, and should get treatment. In the same way, it's better to measure the status of your Security Awareness Program than to guess. Measurements help us identify and correct problems. Expert opinions aren't always as accurate.

Experts once insisted that the world was flat. Copernicus' theory that the earth revolved around the sun rocked two thousand years of scientific tradition. He used measurement and mathematics to prove that everyone, including the experts, had it wrong.

In 1952, Walter Cronkite used the UNIVAC 2 computer to predict the outcome of the presidential election. Early in the evening, based on input of the first returns, the computer predicted a landslide for Eisenhower. Walter Cronkite refused to report these results because he did not find them credible. Some people went as far as to suggest that they reprogram the computer to provide a different result. In the end, Eisenhower did win by a landslide, which led some to remark that the problem with computers is people.

This relates to security awareness because security awareness is a "people" problem. The best technical controls are worthless if your insiders aren't making secure behaviors a habit.

Security Awareness and Culture Defined

When we talk about information security awareness, the two basic questions we need to answer about each person who interacts with our information systems or data are:

  • Would the person recognize a security problem?
  • Would he or she know what to do about it?

These questions are at the heart of all security awareness initiatives.


Awareness is the individual's understanding that security is important and that he or she has a role in securing information and information technology.

Culture is the instinctive behavior of individuals within an organization.

Brakes slow your car down, but they also make it possible for you to go a lot faster. Metrics Are Tools To

  • Measure progress toward goals
  • Raise awareness
  • Show compliance with regulations
  • Communicate priorities
  • Aid in decision making

Dr. Gary Hinson has an analogy about security being like the brakes in car. Brakes slow you down, but they also make it possible for you to go much faster.

A good security awareness metrics program is similar to car brakes. It takes time to set the program up, but once you have it established and working well, it can save you time in the long run by making your program more effective.

Metrics aid in decision making. Without a solid metrics program it's difficult to know if what you're doing is effective. You won't know whether to spend more money on doing the same thing, or whether to better use those resources by putting them elsewhere.

As with any tool, it's important to know how to use metrics. Metrics are best used to compare measurements over time to a baseline.

Continue to Part 2

Security Awareness Metrics: Measure What Matters
Article by K Rudolph, CISSP © Native Intelligence, Inc.    All rights reserved.