Tracking Security Awareness KPIs

Effective Tools for Measuring Security Awareness

Program Impact, Tracking Workforce Behavior &
Proving Organizational Value

securityiq.infosecinstitute.com
Executive Summary Table of Contents

Hackers have leveraged security vulnerabilities as early as Security Awareness Training:

the 1980s to break into networks and capture data. Since A Powerful Risk Mitigation Tool 1
that time, attacks have increased in frequency, reach and
Assessing Security Awareness Training
sophistication. Organizations have answered this threat
Program Success with KPIs 2
by investing in security technologies, but a look at recent
headlines shows this effort is not enough. Using social Getting Started: Selecting Effective Security Metrics 3
engineering tactics like phishing, hackers have learned to
Nine Security Awareness KPIs to
circumvent security controls and access networks through
Track Program Impact 3
unassuming, underprepared employees.
SecurityIQ: Workforce Security Awareness
A comprehensive approach to information security is an
Training With Measurable Impact 4
organization’s best defense against security threats. This
includes investments in security technology and staff, Conclusion 5
security policy development and workforce security About InfoSec Institute 6
awareness training. But like all investments, we need to
prove a positive return to management. In this paper, we Sources 7
review the value of security awareness training and suggest
key performance indicators (KPIs) to help you demonstrate
program value to stakeholders.
 Comprehensive Security Education

SecurityIQ is an integrated security training program offering awareness training,

phishing simulations and dedicated client support in one platform. Together, these
tools will transform your workforce into guardians of critical data and infrastructure.
Our time-proven and science-backed approach helps your organization
reach sustained attack avoidance rates of up to 99%.

SecurityIQ is designed for flexibility and easy implementation in a variety

of settings. It easily integrates with Active Directory, and offers advanced
reporting tools for communication with executive teams.

AwareEd PhishSim Security Excellence

Security Awareness Training Anti-Phishing Simulation Integration, Support & Reporting

»» Secure LMS with interactive,
gamified learning, quizzes for
reinforcement and key summaries
»» Over 130 frequently updated modules,
driven by science-backed educational
methods selected for high performance
»» Customizable content for all audiences:
General, role-based, language,
compliance, time constrained,
industry and level of expertise
»» Includes over 200 threat templates
in multiple languages, continually
updated for just-in-time reporting
»» Programmed for progressive
degrees of difficulty (automated
or manual configuration)
»» Simulates a variety of attack
types, including phishing, spear-
phishing, data entry, attachment,
macros and USB planting
»» Dedicated Client Success Manager for
white-glove support, from installation
to day-to-day management
»» A 12-month delivery plan,
supplemented with posters,
newsletters, employee handbooks,
employee and executive
communications and event plans
»» Actionable performance analytics for
program evaluation, and “boardroom-
ready” performance reports for public
reporting, filings and risk evaluations
»» Security posture scorecarding for
benchmarking security risks by
organization, department and learner

866.471.0059 | securityiq@infosecinstitute.com securityiq.infosecinstitute.com

 Security Awareness Training:
A Powerful Risk Mitigation Tool

Security awareness training is a prerequisite for many international security

standards and regulations, including ISO 27000 series and PCI DSS. However,
an effective security awareness program also adds considerable value to your
organization’s security strategy. End point users are the weakest link in the
cybersecurity chain; the human element is often the primary cause of many severe
data breaches through simple mistakes like downloading malware to clicking links in
phishing emails. By teaching your workforce how to detect cyber threats, they will
be better equipped to prevent data breaches at your organization.

According to Verizon’s 2017 Data Breach Investigations Report, human error led to
28 percent of data breaches in 2016. Other findings include:

»» 43 percent of all breaches leveraged social attacks

»» 93 percent of social incidents occurred due to phishing
»» 28 percent of phishing breaches were targeted attacks
»» 51 percent of all breaches included malware
»» 66 percent of malware was installed through email attachments

Cyber criminals have humanized their hacking methods – and as the data shows,
it’s working. By exploiting common drivers of human behavior like eagerness,
distraction, curiosity and uncertainty, hackers can easily convince uninformed users
to share sensitive data or install malware. With so many security risks stemming
from human behavior, awareness training for your workforce can be an effective
tool in the prevention, detection and early reporting of security breaches.

Like most investments, security awareness training is only as good as the results
it generates. It’s important to objectively monitor the effectiveness and impact
of your program through metric-based tracking. Before launching your program,
establish program KPIs in collaboration with your organization’s stakeholders.
Defining training program success – and what metrics you will use to define it –
will align program objectives with business strategies. This will ensure continued
support and funding for your future training program initiatives.

Whitepaper: Tracking Security Awareness KPIs 1

 Assessing Security Awareness Training
Program Success with KPIs

Security awareness KPIs will help you measure the effectiveness of your training
program, identify gaps and drive change. Select measurable, meaningful and easy-
to-understand KPIs that align with the goals of the
organization and legislation. All KPIs should be easy to
implement and inexpensive to track – with a finite budget
Select measurable, meaningful and easy-to-
and resource pool, it’s important your management
understand KPIs that align with the goals of the
process is not burdensome.
organization and legislation.
Once KPIs are selected, define how to use them to create
meaningful performance scorecards that tell a story. It’s
helpful to define acceptable ranges for KPIs, as well as
milestones to reach and “tripwires” to trigger action when needed. Some KPIs
measure quantitative items (e.g., phishing rates); others can look at less tangible
indicators like risk ratings and surveys.

There are three compelling reasons to track program impact with KPIs:

1. You can’t manage what you cannot measure. In order to better administer
the security awareness program and justify its cost, find a good, objective
method to verify its effectiveness. Measurable results prompt acceptance,
support investments and justify change implementation when needed.

2. Track workforce behavioral changes overtime. KPIs can help demonstrate

how the program is affecting user behavior. Program effectiveness can be
measured by capturing data on changes in the way people react to threats,
such as the ability to recognize and avoid phishing attempts.

3. Prove value from training. Budget for training expenditures must be justified
to management. Getting funding for security technology is relatively simple
-- antivirus software is clearly effective in stakeholders’ minds – but securing
funding for security awareness training is often more challenging. Having
an evaluation plan and KPIs in place prior to program launch will help gain
management buy-in and financial support.

Whitepaper: Tracking Security Awareness KPIs 2

 Getting Started: Selecting Effective Security Metrics

Depending on your program’s objective, your choice of KPIs will vary. As noted
in the NIST publication Cyber Security Metrics and Measures, “effective security
metrics identify weaknesses, determine trends to better utilize security resources
and judge the success or failure of implemented security solutions.” Whatever KPIs
you select, make sure they help you answer key questions, both from a program
management perspective and from organizational stakeholders. These may include:

»» Is your security awareness program reducing operation costs?

»» How is your security awareness program helping mitigate security risks?
»» How is your security awareness program changing workforce behavior?

Nine Security Awareness KPIs to Track Program Impact

Once you’ve identified the questions your KPIs must address, it’s time to select your
program KPIs. Here are nine indicators to help you evaluate and measure security
awareness at your organization.

1. Policy acknowledgment: Every security awareness program should, at

minimum, communicate security policy requirements to staff. Tracking
employee policy acknowledgments will ensure your workforce is aware of
the policy, and helps the organization meet compliance requirements.

2. Phishing rate: You can measure phishing rates through phishing simulation
programs that track learners’ abilities to detect and avoid phishing emails. A
reduction in phishing rate overtime proves increased awareness of security
threats.

3. Attack detection: Track this metric by recording the amount of hacking

attempts detected and reported to your security team. Some security
awareness programs include an email plugin that allows your staff to report
suspicious emails and attachments, which can help inform this KPI.

4. Self-reported incidents: A quick response to a security incident can greatly

reduce damages from an attack. Your security awareness training should
teach your workforce what to do if they downloaded a malicious file or
clicked a phishing email. While the goal of your program should be to help
the workforce avoid attacks altogether, this metric will prove you have
safeguards in place in the event of a breach.

5. Number of security breaches: A reduction of breaches over time, especially

those related to human error, is a good indicator of program success.

Whitepaper: Tracking Security Awareness KPIs 3

 6. Audit hits: This is the number of items flagged for correction during a
security audit. Periodic internal and external audits are a good way to
evaluate your overall security strategy, including awareness training.

7. Program participation rates: Measuring program participation rates

gives great insight on training quality and engagement. Simply delivering
awareness training will “check the box” on a security
audit, but will not help you determine workforce
engagement. If your program participation rates are low,
Simply delivering awareness training will “check
consider changing program content or delivery method
the box” on a security audit, but will not help you
to increase engagement – and effectiveness.
determine workforce engagement.
8. Security health: This KPI can be presented as an
overall user behavior grade. To determine security
health, pick a sample of your workforce and monitor
their technology use. Tracking the number of security infections on
their machines, unauthorized downloads or browsing activity can help
gauge training retention. Assign weight to these behaviors to generate a
meaningful security health score for monitoring changes over time.

9. Cost of security breaches: For this KPI, specifically track the cost of incidents
caused by human error. Include related costs, such as those incurred through
incident response (tech support, public relations, etc.) and lost productivity.
This is an interesting metric that shows management a direct link between
awareness and cost reduction.

SecurityIQ: Workforce Security Awareness

Training With Measurable Impact

SecurityIQ is an integrated security training program offering awareness training,

phishing simulations and dedicated client support in one platform. Together, these
tools will transform your workforce into guardians of critical data and infrastructure.
Our science-backed approach to security education helps your organization reduce
phishing rates to as low as 1%.

The SecurityIQ platform features built-in analytics tools to help organizations assess
training effectiveness through a number of security awareness metrics. These
include phishing, detection rates and participation rates. It also features a helpful
policy distribution and acknowledgment tool, and allows program managers to gauge
learner performance at the individual, group, department or organizational level.

Whitepaper: Tracking Security Awareness KPIs 4


Phishing Simulations
Security Awareness Training
via gamified modules
Whitepaper: Tracking Security Awareness KPIs
SecurityIQ takes a two-pronged approach to security awareness training:
1. Phishing simulations: The SecurityIQ PhishSim phishing training and
simulation tool provides awareness training to teach employees how to
spot – and prevent – phishing attacks through real-world simulations. The
platform features realistic phishing tests and custom templates to effectively
train employees how to recognize and prevent malicious attacks perpetrated
through social engineering tactics.
2. Organizational security awareness. SecurityIQ’s AwareEd modules provide
awareness training for employees using engaging tactics like simulations,
quizzes and games. It teaches employees secure information technology
habits to help them combat cybersecurity threats. By simulating security
incidents, organizations can identify weakness and target training to
demonstrated needs.
SecurityIQ can be used as a ready-made training curriculum, or customized to build
specific learning curricula in any combination. It includes hundreds of phishing
templates and modules in several languages that are targeted to specific roles
and industries. Metrics are automatically collected through the system through
SecurityIQ Analytics to support continued investment in security awareness
education.
Conclusion
Security awareness training KPIs can inform your program management process
from development to evaluation. Selecting program KPIs that gauge program
impact while linking outcomes to business objectives will help you secure and
maintain support for ongoing training initiatives. Security needs change constantly,
and so should your training program content. Having data-backed insights into
your program’s effectiveness will allow you to make changes as needed to mitigate
security risks across your entire organization.
5
 About InfoSec Institute
InfoSec Institute, founded in 1998, provides award-
winning security awareness and training solutions. We
deliver certification-based training courses for security
professionals and enterprise-grade security awareness and
phishing training for businesses, agencies and institutions
of all sizes. Rooted deeply in science-backed education
methods that achieve measurable results, our security
solutions fortify your organization against harmful and
expensive security threats. Our mission is to transform the
largest information security risk — your workforce —
into your strongest line of defense.

infosecinstitute.com

Whitepaper: Tracking Security Awareness KPIs 6

Sources

1. Cyber Security Metrics and Measures, NIST

2. The Components of Top Security Awareness Programs, InfoSec Institute

3. The Role of Scorecards and Dashboards in Performance Management, ThomasNet

4. Use metrics to measure and improve security awareness, PhishMe

5. InfoSec Book Excerpt: Security Metrics – Chapter 17, InfoSec Institute

6. 10 Tips to Embed Positive Information Security Behaviors in Employees, CIO

7. Security Awareness Metrics: Measure What Matters - Part 1, Native Intelligence

8. Measuring Security Awareness Program Results, SANS

9. Information Security Awareness Program – What is the Key to Make it a Success?, SecureReading

10. New SmartKPIs.com Report Ranks the Top IT Security KPIs of 2011-2012, The KPI Institute

11. Verizon’s 2017 Data Breach Investigations Report, Verizon

12. Tabletop Exercises, Washington State Office of CyberSecurity

© 2017 InfoSec Institute, Inc. All rights reserved.

Is Your Workforce Aware?

Try our security awareness training platform, SecurityIQ, for free! Sign
up for a 30-day trial to see how you can prepare your workforce with
security awareness education and anti-phishing simulations in one
automated, easy-to-use platform!

Sign up for your free demo!

Whitepaper: Tracking Security Awareness KPIs 7