Last week we discussed how healthcare has been more successful in changing behaviors and measuring that change than we in the security community.  Not only has healthcare been working longer on changing behaviors (such as washing hands) but they have more robust metrics for measuring.  For security awareness programs, where can we start?  I'll be discussing metrics more in the coming weeks but I wanted to start with one of my favorites metrics, do people involved in your awareness program like your awareness program?  Put it simply, if people do not like your program they are not going to listen.  If they do not listen, if they are not engaged, then you are not going to change behaviors. The challenge with most security awareness metrics is you have to wait months, if not years, to see what impact you are having. What I like best about measuring support is its one of the few metrics you can start measuring right away.    When you first kick off your awareness program be sure to pay very close attention to initial feedback and make it simple for people to provide that feedback. Setup a simple email alias or an online form that anyone can respond to, follow-up with a survey after employees take their initial training, reach out to key individuals and get their feedback, listen carefully to your Steering Committee.     For me, you know your awareness program is on the right track when employees start asking if their family can take the same training.  Some key things to keep in mind to ensure people support your program.
  • Start slow.  Don't ambush people announcing they have one month to take all online security awareness training.  Instead have management communicate ahead of time about the program, what is involved and why you are doing it.
  • Whenever explaining your awareness program, explain in terms in how it benefits them.  I think you will be surprise by people's response, alot of them are very concerned about online security and want to learn more.  If you approach this as helping them (which you are) you can gain tremendous buy in.
  • Make sure you have a Steering Committee (advisory board) to help you plan everything.  Not only does the board help you avoid making mistakes, but they act as ambassadors of your program, building support within your organization.
  • Do not overwhelm people with Fear, Uncertainty and Doubt.  Yes you have to explain the dangers, but our ultimate goal is to enable people to use technology, not scare them away.
  • Remember, you will need to use multiple methods to community your program.  Different generations, nationalities and cultures respond different to how you communicate (online videos, in person workshops, newsletters, podcasts, etc).
What have you found that works well building support for your security awareness program?  Did you try to measure that support, and if so how?