In this series of posts we have been discussing the different maturity levels of security awareness training. We started discussing the first two levels, having no awareness program and having a compliance focused awareness program, designed to meet only the minimal requirements. Then we covered promoting awareness and change and long term sustainment. Today we will cover the final maturity level - metrics.
This final level is defined as a security awareness program that has metrics in place to track progress and measure impact. As a result your program is continuously improving and able to demonstrate return on investment. This is not to say that you cannot use metrics in the previous maturity levels, instead this means you have a formal metrics program. By metrics I mean not just measuring the progress of your awareness program (how many people have taken the training or how many newsletters you have sent out) but the actual impact of your awareness training, measuring change in behavior. Metrics such as which learning objectives are proving the most effective and which the least, do you have certain departments or business units that are more vulnerable to human based attacks then others, are you preventing more attacks, are you detecting more incidents, are you ultimately reducing more risk? To help you develop your own security awareness metrics we have put together a community developed metrics matrix, listening over fifteen different metrics you can use to measure actual change in behavior, and ultimately the return on investment to your organization. You can download this as part of our the Awareness Deployment Package.