How Effective Is Your Security Awareness Program? An Evaluation Methodology

ABSTRACT Security awareness is an important element of every security infrastructure, especially since the human factor often proves to be the weakest link. Companies and organizations have developed programs that seek to promote security and enhance users' perception of the importance of exercising security. As raising awareness, however, is an on-going effort, the campaign has to be regularly evaluated so that corrective actions can be taken in order to achieve the best results. This paper addresses the importance of evaluating an organization's awareness program and provides guidelines and a methodology that will help organizations assess their efforts. The proposed framework includes the evaluation of individual awareness-related processes via respective metrics as well as the aggregation of the aforementioned metrics to produce an overall evaluation score, usable both as a benchmark for future iterations of the evaluation program as well as a figure presentable to higher management.

[1]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[2]  Shirley C. Payne,et al.  A Guide to Security Metrics , 2007 .

[3]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[4]  Reijo Savola,et al.  A Novel Security Metrics Taxonomy for R&D Organisations , 2008, ISSA.

[5]  Rafael Etges,et al.  The 2009 Rotman-telus Joint Study on IT Security Best Practices: Compared to the United States, How Well is the Canadian Industry Doing? , 2011 .

[6]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[7]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[8]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[9]  Eirik Albrechtsen,et al.  Effects on employees' information security abilities by e-learning , 2009, Inf. Manag. Comput. Secur..

[10]  Erdem Uçar,et al.  The positive outcomes of information security awareness training in companies - A case study , 2009, Inf. Secur. Tech. Rep..

[11]  Eirik Albrechtsen,et al.  The long term effects of information security e-learning on organizational learning , 2011, Inf. Manag. Comput. Secur..

[12]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[13]  Bilal Khan,et al.  Effectiveness of information security awareness methods based on psychological theories , 2011 .

[14]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[15]  Anni Sademies Process Approach to Information Security Metrics in Finnish Industry and State Institutions , 2004 .

[16]  Everett C. Johnson Awareness Training: Security awareness: switch to a better programme , 2006 .

[17]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..