Security Awareness Blog

Idea for Human Metrics - Tracking Updates

Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices.

The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the systems they use. In addition, with the growth of BYOD and working from home, how employees maintain their personal devices can have a big impact to an organization.

One of my favorite ways to measure this behavior is the free service Qualys's Browser Check. Not only is this service free but very simple for your employees, just have anyone connect to the site to determine if their computer, browser and plugins are current. Even better, Qualys now has a free business version where your organization gets your own unique link. You can now measure how effectively everyone is keeping their computers updated.

Regardless of how you collect the numbers, I think this is a very powerful metric that not only allows you to see if you are changing human behavior, but potentially a easy metric to measure.




Posted April 23, 2014 at 10:58 AM | Permalink | Reply

Scott Wright

Very true. For quite a while now, updating desktop computers has not something for which you could ask employees to take responsibility. But with BYOD, I guess most Mobile Device Management tools are not yet able to take on sole responsibility for the updating of device's OS and apps.
I teach employees that ensuring software updates are completed is part of their responsibility, in the sense that a user action is sometimes still required for a pushed update to their computers. Some people will still deliberately not reboot, or will cancel/postpone an automated reboot. Rebooting their computers and laptops regularly is still a good idea.
So, this idea for metrics is good, even for many desktop users. I'm going to start mentioning it in my training.
Until MDM tools can reliably control the entire update process, this should work pretty well for devices, too.

Posted April 23, 2014 at 12:34 PM | Permalink | Reply


Scott, great point. Also keep in mind that for very small companies (say 300 employees or less) quite often employees are responsible for updating their computers.