One of the biggest challenges I see in security awareness is proving that it works, that it makes a difference. I want to see awareness move beyond just compliance and have it become an effective control in reducing risk. However to do that we have to be able to measure the impact. To be honest measuring the impact of any control is a common challenge in security. However I feel this is especially challenging in awareness as not only is awareness so immature, but we are trying to measure human factors, not technology. In a series of posts in the coming weeks I'll be posting about how human awareness can be measured, and as a result how you can measure the effectiveness of your program. In addition we will discuss some public reports of metrics successfully used by other organizations, including NY State, West Point and Carnegie Mellon University. For resources I'll be referencing one of my favorite books on security metrics, Andrew Jaquith's book Security Metrics: Replacing Fear, Uncertainty and Doubt. In addition, to stay current with the latest trends in security metrics, I highly recommend the Security Metrics Mailist, which you can subscribe at www.securitymetrics.org.
Updated 11 January, 2011. You can find the rest of the series below.
Security Awareness Metrics Part 2 - Two types of security awareness metrics, progress and impact and what makes a good metric.
Security Awareness Metrics Part 3 - Measuring impact.
Security Awareness Metrics Part 4 - Three case studies of measuring impact.
Security Awareness Metrics Part 5 - Sharing the results.