Metrics and Measures

Abstract

Every security initiative, including awareness programs, should be collecting metrics so that the effect of the program can be understood and the impacts of changes to the program can be tracked. Unlike measuring technical controls, measuring the effects of a security awareness program can be tricky, and as a result, few trainers track the long-term effectiveness of their awareness programs (Ponemon-SATrends-2014). According to a 2014 Ponemon study, the most common methods organizations use to track training impact is to measure the user’s knowledge right after training or to run user satisfaction surveys. While these metrics can be useful and easy to collect and measure over time, there are many other metrics that could also be considered. Unfortunately, not all metrics can be objectively measured, and the leaders of each organization need to determine which metrics will be informative for them in their unique situation. This makes defining and collecting metrics a mix of art and science. Despite the subjective nature of the problem, there are methods of gathering useful metrics that your organization can use to track the ongoing effectiveness of your security awareness program.