Several weeks ago I posted about the the Security Awareness Maturity Model. This consensus project was driven by a need for organizations to be able to easily identify how mature their awareness program was, and where they needed to take it. Over twenty organizations help develop the maturity model. Now we have taken the … Continue reading Security Awareness Roadmap - DRAFT
In the past I've posted about the tremendous value of phishing assessments, both as a tool to measure the impact of your awareness program and as a tool to reinforce key behaviors. While sending out a single phishing email is relatively simple, establishing a long-term phishing assessment program is difficult, it takes a great deal … Continue reading Establishing Phishing Assessment Programs
In this series of posts we have been discussing the different maturity levels of security awareness training. We started discussing the first two levels, having no awareness program and having a compliance focused awareness program, designed to meet only the minimal requirements. Then we covered promoting awareness and change and long term sustainment. Today we … Continue reading Security Awareness Maturity Model - Metrics
One of the biggest challenges I feel we face in security awareness is its lack of maturity. Many fields within information security have developed and matured over the years with entire frameworks built around them, fields such as penetration testing, system hardening, secure software development and digital forensics. However we have no framework or maturity … Continue reading Security Awareness Maturity Model
One of the great things about the annual RSA conference is meeting people smarter then you. Simple, informal conversations or structured presentations are a tremendous way to learn and come up with new ideas. The other night I had a chance to have dinner with Andy Jaquith, author of Security Metrics, often considered the bible … Continue reading Security Awareness Metric - What is Your Prevention / Detection Ratio?