Creating a security awareness program so you are compliant is easy.  Creating a security awareness program that changes behaviors and has an impact is hard. One of the challenges is how do you know when you are having an impact?  Here are some metrics I've noticed - you know you are having an impact when ...
  • You send out your monthly phishing assessment, and you get more emails from people asking if this is an assessment (i.e. they spotted the attack) then you do people actually falling victim.
  • Employees get a real social engineering attack on the phone (Hi, this is tech support from Microsoft) and not only do your employees immediately figure it out that it is an attack and report it, but they start pumping the attackers for information (what is your contact number?).
  • The number of computers infected in your organization drops so much that you can free up half or a FTE (Full Time Employee) to focus on more advanced security issues.
  • As the Security Awareness Officer no one trusts your emails.  Whenever you send legitimate work related emails that have a link or an attachment, employees reply asking if this is really you.
  • Employees start requesting security awareness presentations.  One of the most requested talks I see are those that apply to home, such as securing home Wi-Fi networks, mobile devices or protecting their kids online.
Do you have an example you would like to share?  Also, learn how to build high impact security awareness programs at   MGT 433 at SANS Orlando this March 23/24.