News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

January 8, 2007 - 9:05 A.M.

You need to test the effectiveness of your security awareness program

1 comment

I wrote a few weeks back about employee security awareness and gave some resources on how to do it on the cheap. Since I am sure you followed my advice and now have a security awareness training program, you now have to measure the effectiveness of that program. So, how can you know that the knowledge is sinking in and your employees (the weak link in the security chain) are becoming more "security aware"?

 

One way is to wait for an incident and see how your employees handle it. However, for obvious reasons, that is typically not a good idea. In order to confirm that your employees are starting to think in terms of security, you have to be more proactive.

 

Since a good security awareness program runs the gamut on security issues, there is a huge amount of ground to cover. A quick and fairly simple place to start is a written test of some sort. Since this is not high school or college again, don't go nuts with some kind of situation exam or essay test. This may prove the effectiveness, but you are going to get HUGE backlash. This type of test is typically composed of simple multiple choice and true/false questions. However, this does not mean the test has to be a push over. Make sure it gives a decent challenge to employees so you have a decent measure of effectiveness.

 

Another way to test is to actually simulate an incident in some way. This can be physical social engineering involving anything from bringing in people to try to break in, or it can be creating phishing emails of some sort and sending them from outside to see if users fall for it. Of course, I would not recommend this approach until your awareness program is fairly mature and your user base has been exposed for a time.

 

Also, remember that your purpose for testing your program is not to embarrass or to get employees into trouble. People will be sensitive to being targeted in any way, so you should do whatever you can to foster a comfortable environment. That may mean being involved to a high degree in the simulation so you can be there to sooth hurt feelings.

 

Also, because this is the purpose of testing, make sure to use the lessons learned to tweak your program.

 

However you go about it, remember that simply putting a security awareness program in place is not enough. Testing is necessary if you are going to strengthen that weakest link.

What People Are Saying

Add new comment

Hi Michael. Thanks for

Submitted by Gary Hinson on January 11, 2007 - 10:57 P.M.

Hi Michael.

Thanks for another nice piece on awareness.

Multi-guess/tick-the-box exams are not the only option for checking the effectiveness of an awareness program. For subjective areas like this, I prefer to survey the population using continuous scales with a few words at key points to illustrate the range. To show you what I mean, here's a sample awareness survey form.

Simply asking someone their opinion about somthing focuses their attention on it. It's also a good opportunity to gather feedback suggestions/improvement ideas for the awareness program.

Kind regards,
Gary

Reply | Report this comment

Related Posts

Spam culture, part 3: Nigeria (and 419 scams)
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM
Your next stop ... the Password Zone
Latest threat vector: Our mobile devices

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.