The document discusses security awareness objectives, key performance indicators (KPIs), and metrics. It provides examples of strategic goals in three categories: risks and behaviors, security culture, and compliance obligations. It also gives examples of objectives, KPIs, and metrics that can be used to measure the effectiveness of a security awareness program. The document emphasizes the importance of defining goals and objectives, selecting relevant KPIs and metrics, tracking and reporting on results regularly, and using the data to optimize the program over time.
It is important to note whether your target audiences require both compliance and security awareness training:
Compliance-specific awareness covers training on the policies and procedures required by a regulation with respect to protected information.
Security awareness covers standard security policies and procedures to prevent, detect, contain and resolve security incidents.
Poll Title: How often do you track online course participation statistics?
https://www.polleverywhere.com/multiple_choice_polls/OeZTNUuD7OSbaKq
Compliance:
These metrics help organizations follow user participation and demonstrate that the awareness program is followed to internal and external stakeholders.
Behavior/Knowledge:
These metrics help determine if awareness activities are affective and adjust topics, format or frequency.
Culture:
These metrics help determine if users are motivated to apply what they have learned and helps organizations determine what communications or processes are required to emphasize the importance of information security.
A security awareness program will not reduce the costs associated with an incident but will significantly reduce the likelihood of occurrence and increase the speed of detection.
Practices, activities that we do
Outputs, products provided
Outcomes, results of usage of products by users
Impacts, proof that outputs caused the outcomes
Terranova Security has example metrics in all the categories, to help organizations select the ones most suitable for their objectives.
The Gone Phishing TournamentTM is an annual, cyber security event open to security and risk management leaders
The phishing tournament will provide true benchmarking statistics related to phishing simulations.
Free Phishing Simulation
Complimentary Global Benchmarking Report
Personalized Click Rate Report