For the past couple of weeks we have been discussing metrics for security awareness, specifically how to measure both the progress and impact of your awareness program. I would like to wrap up this series on what to do once you have the results, whom do you share it with and how? Here are several options to consider.
- Security Team: One of the first groups that will be interested is your security team, the people responsible for protecting the organization. They will want to know how vulnerable employees are, how great the risk is for the human element. Metrics can tell them what percentage of people are happy to click on any link sent their way and how threats can exploit that.
- Management: These are the folks focused on the business side, they want to know if they are getting a return on their money. As we discussed in our last blog post, if done properly awareness programs can have a tremendous impact, one that can be measured. Show management the positive impact your program is having.
- Auditing: Your compliance team may not be interested in the impact of your program, but they will be very interested in the progress. These are the folks who will want to know who took the training, what percentage of the organization is 'aware'. They will potentially need this for legal or certification requirements, such as for HIPAA, PCI DSS or ISO 27001.
- Employees: These are often the last group people think of sharing the results with, but in many ways this should be the first. What better way to get the attention of employees and make them aware then publish the results of your awareness assessments. Perhaps in a monthly newsletter you can have a section that shows how many employee fell victim to a phishing assessment, what the assessment looked like and how they could have figured out it was a fake email. Not only are you reinforcing the core lessons of your program, by providing statistics about your organization you are demonstrating how real the risk is.