Depending on the size and needs of your organization, a security awareness program usually equals a significant investment of time and funds. However, a program that is properly designed will assist in helping to reduce the number of security incidents affecting your environment. Since this is such a valuable tool, how can an organization determine if the plan they’ve “purchased” is working?
As always, we need to gather data to see how we’re doing. What should we be looking at?
This article will discuss options for obtaining the needed information and how you can use that data to further refine your awareness program.
Create a System for the Reporting and Resolution of Incidents
With any security program, one of the first items that should be in place is a notification system or process where employees can report incidents. Perhaps your organization already has this in place as part of your help desk functions or first-tier technical support.
It would be beneficial if this team is using a searchable database to log all reported issues in the form of work tickets. This database should also allow exports of data and be able to search according to incident type, date range, number of occurrences, severity, total amount of incidents opened and closed and length of time it took to close (in days and hours).
Security Incident Types
Logging the incident type is very important, as this will allow you to measure different aspects of your awareness program and help you understand where your training may need to be tweaked. Below are some examples of incident types that can be used for this purpose.
- Phishing: This will serve to log any attempts to lure your employees to malicious sites or request confidential information via email
- Credential compromise: In the event any account password is compromised
- Breach: Serves to log any issues involving unauthorized access to any asset
- Policy violation: This records any violations of policy such as installation of unauthorized software or inappropriate usage of assets
- Edge probes: Tracks any incidents where an alert may be reported due to this activity
- Employee inquiry: Any questions or requests for guidance from employees
- Stolen asset: Stolen hardware or devices
- Malware: Records any incident of malicious software being reported
- Investigation: Tracks any security investigation that is required by the security team
- Social engineering: Log of any phone scams and other social engineering attacks
- Account lockouts
As your security team begins to go through their work tickets, you’ll start to see trends in the types of issues that are addressed. Depending on how granular your database can get, you can start creating reports to show where employees need the most help and where the awareness program can be modified.
Once the desired metrics are identified, it will be very important to establish the frequency in which these metrics should be monitored. This allows key metrics to be reviewed in order of priority and ensure that none are missed.
Having a functioning Security Information and Event Management (SIEM) tool in your environment is also invaluable, as this provides detailed data points regarding your network. These tools can identify items such as rate of infection, network anomalies and authentication failures across the entire monitored environment. For example, how many times does an alert for a particular infection get reported in your SIEM? Is it usually the same individual that falls victim to the issue in question? Depending on the answers to your unique questions, this will show where your program is succeeding or failing.
The InfoSec team and Human Resource representatives can also work together to increase security and awareness. When new employees are hired, have a small presentation prepared as part of their orientation. During this brief presentation, a security representative can speak about some of the threats facing the organization and how each employee can contribute to the security posture of the company. HR can ensure that each employee understands company policies and answer any questions that may arise as a result. If these questions are logged, they can be submitted to the security group as another metric.
Depending on the frequency of certain questions, the security team can tweak policies to ensure they are written in a way that clearly communicates their purpose. The same is true of overall security threats. If new employees are asking repeated questions on certain threats – this can alert the security group to include certain material in future awareness sessions, so the user base is properly educated.
Consider working with the HR department to disseminate awareness surveys. Small periodic training modules or quizzes can be developed and sent to the employee population as required training. The modules should highlight threats that are actively affecting the organization as per reviewed metrics and then require the employees to answer specific questions around these issues. The rate of incorrect answers can provide insight into current employee knowledge and what can be improved.
Social Engineering Exercises
Social engineering exercises are another active way to test employees’ reactions to certain attack methods and provide valuable metrics to awareness efforts. Contracting with an external partner experienced in this area can help an organization strengthen and empower employees by teaching them the correct manner of handling a wide range of threats. The results provided by the external partner can help to further shape the company’s security awareness program and uncover other areas that may require further attention. This article discusses some items to keep in mind when planning an initiative of this type.
Generate an Incident Dashboard or Scorecard
Once all required metrics are identified, they should be organized into a system similar to a dashboard or scorecard where the results of each metric over a range of time can be seen at a glance in the form of a bar graph or other charting system. For example, one portion of this dashboard should show the metric type and how many occurrences of the issue appeared in a given month. Other sections of the dashboard can show how many individuals repeatedly dealt with a given issue versus how many individuals reporting the issue were new.
Having a section dedicated to the number of hours worked per issue can quickly help to show how much time is being invested by the security group in handling these matters. When the data starts to take form, it may be possible to even create timelines of major problems based on the data trends. Patterns may start to emerge for certain attacks. This can also assist the security group by preparing proactive strategies to address them and provide tailored awareness information at key points in the year.
Yearly Awareness Day Event
In line with this thought of “key points in the year,” some companies have organized yearly Awareness Days that employees can attend in order to learn about the emerging threats that are impacting the organization and how they can protect themselves. These events can be planned using trade shows as a model. This type of environment is casual and presents many opportunities for employees to engage the security team and ask specific questions. The security team can also design demonstrations of certain threats to illustrate how they occur, which will help cement the ideas in the minds of the attendees.
Employing teaching tools such as educational games that have the aim of testing the employee’s knowledge of specific security subjects is also very useful during these events.
During this article, we’ve reviewed certain methods that can be employed to measure improvements in employee behavior when it comes to security matters. The metrics that are created as a result of using some of these methods can quickly help a security team understand how deeply the awareness program is impacting their organization and determine the maturity of their particular educational program.