Creating a security awareness program so you are compliant is easy.  Creating a security awareness program that changes behaviors and has an impact is hard. One of the challenges is how do you know when you are having an impact?  Here are some metrics I've noticed - you know you are having an impact when ...
  • You send out your monthly phishing assessment, and you get more emails from people asking if this is an assessment (i.e. they spotted the attack) then you do people actually falling victim.
  • Employees get a real social engineering attack on the phone (Hi, this is tech support from Microsoft) and not only do your employees immediately figure it out that it is an attack and report it, but they start pumping the attackers for information (what is your contact number?).
  • The number of computers infected in your organization drops so much that you can free up half or a FTE (Full Time Employee) to focus on more advanced security issues.
  • As the Security Awareness Officer no one trusts your emails.  Whenever you send legitimate work related emails that have a link or an attachment, employees reply asking if this is really you.
  • Employees start requesting security awareness presentations.  One of the most requested talks I see are those that apply to home, such as securing home Wi-Fi networks, mobile devices or protecting their kids online.
Do you have an example you would like to share?  Also, learn how to build high impact security awareness programs at   MGT 433 at SANS Orlando this March 23/24.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.