Security Awareness: A Few Key Indicators

Return to Security Metrics
Created by George Campbell, Security Executive Council Emeritus Faculty member

If your company thinks
Security is the owner of security-related business risk, get your résumé up to date! Business process owners’ awareness is a fundamental element in a security risk mitigation strategy. We are paid to understand the range and depth of risks confronting the business in its various environments, to build strategies to mitigate them, and to educate our constituents on their responsibilities.

To that end, Security must (1) develop a multi- dimensional security awareness program that incorporates a marketing and communication strategy focused on key areas of employee safety, corporate integrity and business process security and resiliency and (2) identify relevant areas of risk awareness that the targeted population should address.

If you expect key individuals and groups to conform to policy and procedures, you must use focused communication to ensure that they are aware of those requirements. So, what is Security’s brand at your company and to whom do you sell it? Think about it. You have products to sell to senior management, the Board, employees, partners, vendors and visitors. What is your tagline — your brand that guides and frames the message for your constituents? How are you “selling” accountability for business protection?

We have to craft messages that connect in actionable ways with the individuals and organizations responsible for business process integrity and continuity. Use your unique knowledge of and perspective on business and personal risk to design your mix of products and services. The challenge is to determine what risk management knowledge has to be passed on to whom. Seek out advice from your company marketing and communications departments. They can point your messages in highly productive directions.

Security awareness is measurable. Actionable measures and metrics for risk awareness may be derived from a variety of sources:

• Risk assessment findings provide qualitative data that needs to be fed back to appropriate business units to make them more aware of their accountability.

• Risk events and profiles identify unmanaged exposures that need to be communicated. You can determine the absence or degree of measureable improvement in risk exposure or conformance to policy by conducting follow-up testing of your awareness initiative to see how well the messages got across.

• Formal feedback surveys and interviews can identify the level of security awareness within targeted populations. A useful technique is to use the corporate intranet to quiz users and engage in random polling on risk or procedural responsibilities.

• Incident post mortems, lessons learned and victim interviews provide a rich source of information on gaps in security awareness.

• Security department customer satisfaction surveys can ask how well respondents understand Security’s messaging and how effective the communication media is.

• Policy audits, such as clean desk policy checks performed by evening shift security officers during rounds.

The graphic above provides several simple examples of key security awareness indicators. By using percentages of movement over time, you can easily measure improvement or decline. Do not neglect to measure the level of support that business unit management shows for awareness initiatives and corrective actions resulting from risk assessments.

Corporate security and brand protection is every employee’s job. The quality of your connection — your actionable messages — with them is a key element of security management.

Return to Security Metrics