Metrics and Human Factor Security Checks
Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective. The metrics used to measure the success of a security awareness program will vary for each organization based on considerations such as size, industry, and type of training.
What is to be done after the information has been passed and the evaluation tests have been passed? We can’t stop here. We resume the program for over a year so nobody forgets nothing. Information is always up-to-date, people are informed accurately and on time, evaluations are not lacking in web-based or workshop courses. At this time people are informed.
However, as far as their attitude is concerned, another type of evaluation is now entering the equation. We need to measure how they respond to different challenges that can open security flaws. For the computer network, for the web site or for the company’s servers. Penetration tests can be made in a technical manner.
Mindsett Security Your Human Factor Security Partner ...
With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.
How people respond? – This is the purpose of the evaluation. Measuring the level of awareness, through questionnaires is a well-known practice. The advantage is being in this case, we measure successfully the accumulated knowledge. So, the question goes: with what is it? In view of this, when we ask ourselves to evaluate the attitudes and the way they respond to an incident or a potential security breach, metrics and ways to simulate the most commonly encountered attack scenarios should be included. In this line, the external providers must understand and adapt the content and actions in the program to each organization. Although non-technical sometimes, in a general awareness trainings the way social engineering attacks are used in the business sector would be a plus to be considered.
How people report? – After applying a challenge, we know exactly how many of the attackers reported the incident. Suppose the security policy specifies that potential phishing attacks should be reported to the IT security department. Launching this type of attack on a group within the company becomes a way of verifying how people undergoing this challenge will respond. We know the number of attackers and wait for reports to the security engineer.
What about Social engineering? – Considering a significant group within the company, we can launch an attack on them. The degree of sophistication of the attack depends on whoever calls or who uses the social network to find information from within. The purpose of the attack is to obtain sensitive information (data, documents) in a usual way for attackers (e.g. pretexting). Again, from the selected group, we can know exactly how many have reported to outside requests. Number of those who did not respond, and number of those who documented and reported the incident. Piggybacking attempts may be another way of verifying the response of employees who pass through the access areas.
Journaling of unauthorized operations? – This must be a continuous activity of those responsible for IT security and must be carried out automatically. Also, document security awareness program including all previously listed steps within “Creating the Security Awareness Program,” and “Implementing Security Awareness”.
Evaluation? – It is a question of finding some suitable metrics for assessing the ability to respond to different security challenges. In the next figure are presented some possible tests applicable to different groups in the organization. By launching any of the following tests, the IT Security Officer has at hand a relevant note both for the success of the awareness program, and especially for potential employee risk.