Use metrics to measure and improve security awareness

It’s no secret that data is revolutionizing industries. Baseball managers have applied data to buck century-old beliefs about strategy (think Moneyball), anyone who has ever used knows that data has transformed retail, local law enforcement analyzes data to predict crime, and scientists are even using data to stop the spread of infectious diseases.

Most security awareness programs fail to gather metrics. Those that do typically measure inputs instead of outputs. What this means is that many teams are measuring items such as the number users who complete a CBT course or attended a lunch instead of the number of incidents related to a specific IT risk area. This is akin to looking at the number of times I visit a dentist each year instead of the number of dental incidents (cavities, root canals, etc.) and using that data as an indicator of good dental health.