For a high-impact security awareness program to be effective, you need the ability to measure your awareness program. Security awareness metrics are something I have written about in the past. To help centralize your security awareness metrics planning I have created a metrics checklist. This matrix breaks down awareness metrics into two categories, those that measure the deployment of your program and those that measure the impact of your program. By deployment I mean things like who has taken the training or the different types of materials used, metrics important to auditors. By impact I mean measuring behavior change, metrics important to your security team. I break down these metrics, identify who can measure them, how they can be measured and suggestions for how often. You can download the new metrics checklist as part of the SANS Securing The Human Awareness Deployment Package.
Note: I've also updated the deployment package with a new presentation (including notes) and a README-FIRST document that helps organize all the content. As always, please send any feedback and suggestions to me at lspitzner@sans.org.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.