Creating a security awareness program so you are compliant is easy.  Creating a security awareness program that changes behaviors and has an impact is hard. One of the challenges is how do you know when you are having an impact?  Here are some metrics I've noticed - you know you are having an impact when ...
  • You send out your monthly phishing assessment, and you get more emails from people asking if this is an assessment (i.e. they spotted the attack) then you do people actually falling victim.
  • Employees get a real social engineering attack on the phone (Hi, this is tech support from Microsoft) and not only do your employees immediately figure it out that it is an attack and report it, but they start pumping the attackers for information (what is your contact number?).
  • The number of computers infected in your organization drops so much that you can free up half or a FTE (Full Time Employee) to focus on more advanced security issues.
  • As the Security Awareness Officer no one trusts your emails.  Whenever you send legitimate work related emails that have a link or an attachment, employees reply asking if this is really you.
  • Employees start requesting security awareness presentations.  One of the most requested talks I see are those that apply to home, such as securing home Wi-Fi networks, mobile devices or protecting their kids online.
Do you have an example you would like to share?  Also, learn how to build high impact security awareness programs at   MGT 433 at SANS Orlando this March 23/24.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.