Security Awareness Blog

You Know Your Security Awareness Program is Having An Impact When ...

Creating a security awareness program so you are compliant is easy. Creating a security awareness program that changes behaviors and has an impact is hard. One of the challenges is how do you know when you are having an impact? Here are some metrics I've noticed - you know you are having an impact when ...

  • You send out your monthly phishing assessment, and you get more emails from people asking if this is an assessment (i.e. they spotted the attack) then you do people actually falling victim.
  • Employees get a real social engineering attack on the phone (Hi, this is tech support from Microsoft) and not only do your employees immediately figure it out that it is an attack and report it, but they start pumping the attackers for information (what is your contact number?).
  • The number of computers infected in your organization drops so much that you can free up half or a FTE (Full Time Employee) to focus on more advanced security issues.
  • As the Security Awareness Officer no one trusts your emails. Whenever you send legitimate work related emails that have a link or an attachment, employees reply asking if this is really you.
  • Employees start requesting security awareness presentations. One of the most requested talks I see are those that apply to home, such as securing home Wi-Fi networks, mobile devices or protecting their kids online.

Do you have an example you would like to share? Also, learn how to build high impact security awareness programs at MGT 433 at SANS Orlando this March 23/24.


Posted January 24, 2012 at 2:20 AM | Permalink | Reply


The world gets slammed by a terrible email hosting a nasty, virus-infected attachment, you can't download the update until 3 pm, but nobody in your company opens the attachment. That's what happened to me when "I Love You" hit.

Posted January 26, 2012 at 12:10 AM | Permalink | Reply

Dan Gleebits

When you have to investigate malicious emailed Fedex pdf manifests that shipping department, finance and end users have received for a routine parcel. By the way, nothing changed in the Fedex notification email process and these users had routinely received Fedex pdf manifests this way for years.

Posted March 15, 2012 at 1:40 PM | Permalink | Reply

Ardham Grace

Hmm.. What an interesting read. I can actually vouch for most of these especially "As the Security Awareness Officer no one trusts your emails. " Haha! I'm not even the SAO but they don't trust me anyway.

Posted March 15, 2012 at 1:49 PM | Permalink | Reply


Glad to see I'm not the only one. I also have a new indicator. You know your awareness program is working when you send out monthly phishing emails as part of your assessment program, and not only do employees catch and report it, but start saying the tests are too easy and start recommending ways to make them harder to detect!