As Chief Information Security Officers (CISOs), the responsibility of protecting your organisation from security threats falls heavily on your shoulders. While technological safeguards play a crucial role, the human impact in security can have a detrimental impact. Employees can be a significant source of risk, whether through unintentional mistakes, negligence, or targeted attacks. Accordingly, implementing metrics within your security awareness programmes is critical in managing human risk. This blog post aims to identify some key metrics that can aid in mitigating human risk and strengthen your organisation’s security.
1. Phishing Resilience Rate
Phishing attacks continue to be one of the most common and successful attack vectors employed by cybercriminals. These attacks rely on exploiting human vulnerability through social engineering techniques. Monitoring the phishing resilience rate helps gauge the effectiveness of your organisation’s security awareness program. This metric measures the percentage of employees who successfully detect and report simulated or real phishing attempts. A higher resilience rate signifies a well-informed workforce with the ability to identify and respond to phishing threats, reducing the likelihood of successful attacks.
2. Security Awareness Training Completion Rate
Establishing a security-conscious culture within your organisation requires ongoing security awareness training for employees. Tracking the completion rate of security awareness training modules provides insights into employee engagement and commitment to security best practices. This metric helps CISOs identify potential gaps in training coverage, address knowledge deficiencies, and reinforce the importance of security awareness throughout the organisation. A high completion rate indicates a workforce that is proactive in developing their security knowledge and skills.
3. Incident Response Time
Human errors and lapses in judgment can lead to security incidents. Monitoring incident response time allows CISOs to assess the efficiency of their organisation’s incident response team in addressing and mitigating security incidents. This metric should encompass the time taken to detect, investigate, contain, and remediate security incidents. By reducing incident response time, CISOs can minimise the potential impact of breaches and vulnerabilities, ensuring a swift and effective response to security incidents.
4. Policy Compliance Rate
Policies and procedures serve as guidelines for employees to follow, ensuring a secure work environment. Measuring the policy compliance rate helps CISOs assess the extent to which employees adhere to established security policies. A higher compliance rate indicates a workforce that understands and complies with security protocols, reducing the risk of non-compliance-related security incidents. This metric provides valuable insights into the effectiveness of security policy communication, training, and enforcement.
5. Employee Security Satisfaction
Employee feedback is fundamental to any campaign that works to change intentions, attitudes and behaviour. Employee satisfaction with security measures is an often-overlooked metric but plays a crucial role in managing human risk. Conducting periodic surveys or gathering feedback from employees can help gauge their perception of the organisation’s security practices and their level of satisfaction. High employee security satisfaction indicates a positive security culture and a reduced likelihood of employees engaging in risky behaviours or seeking alternative, less secure solutions. This metric can guide CISOs in identifying areas for improvement and implementing changes that align with employee expectations and security needs. Another useful metric in this area is the Net Promoter Score (NPS) which helps to evaluate how employees perceive the security initiatives and whether they feel they fulfil the purpose they are intended for.
6. pAth Human Factors Assessment
pAth (Project Athena) Insider risk measurement focuses on situational judgement tests that go leaps beyond technical measurement and self-reported questionnaires. They enable identification and monitoring of risk right from the recruitment and selection stage and on a routine basis to assess your human factors environment as a sort of health check. This works to prevent counterproductive behaviour and recruit for security values which may align with your organisational values and culture. This metric is an extremely useful addition to an Insider Threat Programme.
7. Psychometrics:
Psychometrics can help you to:
Measure the impact of their initiatives on behaviour change and attitudes towards and campaigns security
Measure the security culture maturity of your organisation
Monitor and manage insider risk
Identify security promoters and detractors objectively to assist with ambassador and champion programmes
Training needs analysis to remove the need for generic training
Identify high risk areas of the business in terms of human factors vulnerability
Measure whether your workforce perceive security teams offer a service that meets their expectations (net promotor score)
Overall, as CISOs, managing human risk in security is a critical aspect of protecting your organisation’s valuable assets and sensitive data. By leveraging the power of metrics, you can gain valuable insights into employee behaviour, awareness, and overall security posture. The metrics discussed in this blog post, including phishing resilience rate, security awareness training completion rate, incident response time, policy compliance rate, and employee security satisfaction, provide a solid foundation for managing human risk effectively. Most importantly, employees need to be able to given a fair chance to practice behaviour and be measured in a safe environment without discrimination or subjective assumptions. By continuously monitoring and analysing these metrics, CISOs can make informed decisions, address vulnerabilities, and build a resilient security posture that mitigates human-related security risks.
