One of the things we discuss in the two day course SANS MGT443 Securing The Human is how do you prioritize human risks? Most organizations / security awareness officers have limited time and resources. You can only teach people so much, and as a result you can only change so many behaviors. This means to have a truly effective awareness program you need to prioritize what human risks you will focus on. Easier said then done.
Thanks to some great ideas by Roderick Currie, there is now a tool to help you do just that. It is a simple spreadsheet. The idea is you list all the different human risks you are concerned about. You then rate how many incidents you have had related to that risk, how likely you think another incident will happen, and the impact if you do. This spreadsheet uses a qualitative approach to measuring human risk, meaning you use the scales of low, medium and high. While this approach is neither precise nor accurate, it is fast, simple and most often 'good enough'. It allows you to quickly identify what human risks you should focus on. I feel tools like these are important, as far too many organizations randomly pick topics on an ad-hoc basis. To truly manage human risk, you have to first prioritize it. You can download both an example risk model and a template here.
Interested in learning more about building a high-impact awareness program using tools like these? Join me in Baltimore 13/14 June for the next MGT433 class.