Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices. The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the systems they use. In addition, with the growth of BYOD and working from home, how employees maintain their personal devices can have a big impact to an organization.
One of my favorite ways to measure this behavior is the free service Qualys's Browser Check. Not only is this service free but very simple for your employees, just have anyone connect to the site to determine if their computer, browser and plugins are current. Even better, Qualys now has a free business version where your organization gets your own unique link. You can now measure how effectively everyone is keeping their computers updated. Regardless of how you collect the numbers, I think this is a very powerful metric that not only allows you to see if you are changing human behavior, but potentially a easy metric to measure.