One of the biggest challenges we face in security awareness is justifying our awareness program. Awareness costs money and organizations want to see a return on their investment. Now it is no surprise this is a challenge, demonstrating ROI in any security discipline can be challenging. However it is especially true with human security as behavior is so difficult to measure (what is the level of your employee loyalty and how much is that worth?). One idea I wanted to share is comparing how much your organization invests in protecting the desktop/laptop versus the employee using it. For example, how much does your organization spend on
- Anti-virus for each computer.
- Patching / updating for each computer.
- Host based IDS for each computer.
- Standardized build and deployment each computer.
- Firewall software for each computer.
- USB locking or data control systems.
- Authentication software