Security awareness is the primary control against social engineering, hence this is an essential core topic for the awareness program. Making managers aware of how they might measure [the risks and controls relating to] social engineering is the purpose of this awareness paper.
The paper illustrates how elaborating on the control objectives helps to identify relevant security metrics. For example, the objective to 'make the entire workforce aware of social engineering' suggests the need to measure the security awareness program's coverage.
The paper identifies just three security awareness metrics. There is nothing special about those particular metrics, and they are certainly not the only ways to measure awareness. It is deliberately left as an exercise for the reader to determine firstly whether it might indeed be worth measuring coverage of the awareness program, and if so secondly how best to do that.
By the way, in conjunction with fellow author Walt Williams, I'm currently developing a new information security awareness maturity metric in the same style as the maturity metrics in the book. It should be ready to publish later this month. Watch this space!
Kind regards,
Gary
Gary
No comments:
Post a Comment
Have your say!