In a new blog post from Scott Greaux, VP of PhishMe, the ways organisations can use metrics to measure and improve security is discussed.
Greaux states that:
– Most security awareness programs fail to gather metrics. Those that do typically measure inputs instead of outputs. What this means is that many teams are measuring items such as the number users who complete a CBT course or attended a lunch instead of the number of incidents related to a specific IT risk area.
– Metrics measuring overall vulnerability to phishing emails are useful as a baseline to assess your readiness for a phishing attack, but offer much more insight. By measuring your susceptibility after each security awareness exercise you conduct, it gives you perspective of which concepts are working and which ones aren’t, allowing you to refine your techniques to improve the program.
– Metrics that tell you which users are most knowledgeable about security can aid in incident response, if you encourage users to report potential security incidents or suspicious activity.
The full post can be found at the following link: http://phishme.com/use-metrics-measure-improve-effectiveness-security-awareness/