We asked our clients how they measure risk reduction, where employees can make a difference. These statistics or Key performance indicators (KPI) are used to measure the impact of the security awareness program. Specifically, how understanding and behavior of employees has changed. This is used to measure the value of the program, including cost and risk reduction. If you have a good KPI that you would like to add, please contact us.
| Subject | What is measured | How is measured | When | Who measures | Description |
|---|---|---|---|---|---|
| Phishing awareness | Number of people falling victim to a phishing attack. | Phishing assessment | quarterly | security team | These attacks are the same attacks that cyber attackers use. The goal is to measure who falls victim to such attacks. This number should decrease over time as behavior changes. |
| Phishing Detection | Number of people detecting and reporting a phishing attack. Phishing assessment. | Phishing assessment | quarterly | quarterly | Uses the above methodology, but instead of following up on who is being victimized, it is looking at who is identifying and reporting the attacks. This number should increase over time. Provide a (socially) safe environment that stimulates reporting. |
| Infected computers | Number of reports of infected computers. | Help desk or centralized AV management software | Monthly | Help desk | Most infected computers are the result of human behavior (infected attachments, malicious links, etc.) This number should decrease over time as employees are trained. |
| Consciousness research | Number of employees who understand and follow security policies, processes, and standards. | Survey or test | semi-annually | Security team or HR | Employees take a survey consisting of 25 questions that determine their understanding and follow-up of the policy. Questions can relate to people sharing passwords, knowing how to contact security, and if they've been hacked. |
| Updated devices | Percentage of devices that are updated and current. | When employees connect to an internal server or use an external service. | Monthly | IT department or security team | Measure whether employees are keeping their devices up to date and current, especially when it comes to BYOD (Bring Your Own Device). |
| Lost/stolen devices | Number of devices (laptops, smartphones, tablets) lost or stolen. What percentage of these devices are encrypted? (encryption) | Reporting to the security team or through physical device audits. | Monthly | Security team or asset management | Employees must be trained to maintain physical security for their devices. If your organization has a policy regarding the use of encryption for devices, this also measures whether employees use it. |
| Clean desk | Number of employees who secure their workplace prior to departure, as per organization policy. | Walking around after work | Monthly | Information security or physical security team | Security team provides a walk-through of organizational features, monitors each desktop or individual work environment, and attempts to ensure that individuals follow the organization's desktop policies. |
| Passwords | Number of employees using strong passwords. Brute force password. | Password brute force. | Quarterly | Security team (or outsource) | Authorized access to system password database (such as on AD or Unix server) and attempts to brute or crack password hashes. |
| social engineering | Number of employees who can identify, stop and report a social engineering attack. | Assessment of telephone conversations. | semi-annually | Security team (or outsource) | Security team calls random employees and attacks them as real cyber attacker by trying to manipulate victim socially. An example could be that it provides Microsoft support and a victim downloads infected antivirus. |
| Sensitive data | Number of employees posting sensitive organizational information on social networking sites. | Online searches for key terms. | Monthly | Security team (or outsource) | Conduct extensive searches on sites such as Facebook and LinkedIn to ensure employees are not posting sensitive organizational information. |
| Erase or destroy data | Number of employees who follow data processing processes well. | Check the digital devices being disposed of for proper deletion. Check recycle bins for sensitive documents. | Random | Information security or physical security team | All digital devices that are disposed of (donated, thrown away, resold) can contain sensitive data. Check to ensure proper erasure procedures. Check garbage cans or dumpsters for sensitive documents that have not been shredded. |
| Facility Physical Security | Number of employees who understand, follow and enforce policies for limited or protected access to facilities. | Test how many employees wear their badges or who don't. | quarterly | Info security or physical security team | For many organizations, physical security is an important way to mitigate risk, especially when it comes to secure facilities. This metric tests and measures people's understanding and enforcement of this control. |
| Completion of training | Who has followed the security awareness strains or not. | Reports from LMS or workshop registration pages | quarterly | Security awareness team | Primary training is when people are taught all the security awareness material for the first time or in a single meeting, usually online computer-based training (CBT) or onsite workshops. |
| Communication method | Who has followed some security awareness led of not. | Track and document when and how the material is distributed to communicate the program. Monthly | Monthly | Security awareness team. | For a security awareness program to be effective, it must be communicated to people on a regular basis. This metric measures other communication methods that reiterate and reinforce the learning objectives of annual training. Examples of such units of measurement may include:
|
| Policy statement | Ensure employees have completed their training, acknowledge that they understand the training and adhere to the policy. | Signature or signature. | Part of the annual review | Managers/HR | From a compliance standpoint, it may be necessary to document that employees have not only received training, but also acknowledge that they understand and will follow the training. |