One of the ideas I pulled from John Kotter's book Leading Change was a suggestion on Human Resources. Have your HR team align performance evaluations, compensation, or promotions based on peoples' security behaviors. This does two things. First, it increases motivation because people see an actual, tangible gain by changing their behaviors. But even more importantly, Mr. Kotter points out that this demonstrates that the leadership is serious about security, that they want to make secure behaviors part of the organization's DNA. I thought this was a great idea. Here are some examples of metrics your HR could use to track employees and staff.
- Employee had no security violations in past 12 months
- Employee successfully completed all awareness training
- Employees on their own reviewed online profile to confirm security settings
- Employees on their own took additional training (Self-Education)
- Employee lead a security focus group
- Employee reported phishing attacks / suspicious activities
- Employee's computer or mobile device reviewed by security and passed
Ultimately no one single step is going to change peoples' behaviors, it is a combinations of actions and communications. This is just one more step you can take to make your awareness program more mature.