Editor's Note: This is a guest Blog Post from Lance Hayden, a Solutions Architect with Cisco's IT Governance, Risk and Compliance consulting practice and author of IT Security Metrics. Below is a short description of his talk on the Human Vulnerability Scanner at the Security Awareness Summit 10 Sep in Dallas.
Security training and awareness professionals, somewhat by definition, focus more on the human and social issues of an organization than on its technology. The fact that people are not as easy to manage as machines makes the job more challenging, especially when it comes to measuring security effectiveness. If you manage a network, you can fire up a vulnerability scanner and find out where your problems may exist fairly easily. Assessing the human side of the network is more complicated and more nuanced. Fortunately, tools exist to measure human behavior as well.
One of the most widely used is survey research. Surveys are performed just about everywhere in industry when one group of people are interested in what another group of people think, believe, or do. Not all surveys are well made, but a good one can provide a wealth of data about things that are notoriously hard to measure by other means. For security awareness, they are the closest thing we have to a human vulnerability scanner.
My session will introduce an update to the Human Risk Survey, a tool designed to be a barometer of security awareness and behaviors, and even security culture, within an organization. The survey gives insight into the awareness levels and behaviors of respondents and, when combined with data from other organizations using the same survey, can help you understand how your results stand in comparison to theirs.
We'll discuss how to use the survey, how to analyze your results, and how to present those results to management and other stakeholders in order to improve security awareness and culture within your organization. I'll also be soliciting feedback on the survey and beginning the process of developing comparative data sets across organizations adopting the tool.
Bio: Lance Hayden is a Solutions Architect with Cisco's IT Governance, Risk and Compliance consulting practice. He has twenty-five years of experience in information security, beginning with the Central Intelligence Agency. Lance has a Ph.D. in Information Science from the University of Texas, where he also teaches courses on security, intelligence, and surveillance. He is the author of IT Security Metrics from McGraw-Hill. He is certified as a CISSP, CISM, CRISC, and ISO 27001 Lead Auditor.