Comprehensive Software Reviews to make better IT decisions
ISACA and InfoSec Institute Produce Whitepaper on Using Marketing Techniques and Metrics for Improved Security Awareness Programs
ISACA has partnered with InfoSec Institute to produce a whitepaper on leveraging marketing techniques and metrics to improve security awareness. This is a valuable resource that contains universally applicable information.
ISACA released the whitepaper March 13 as a resource for building security awareness campaigns. The paper begins with a look at common challenges for security awareness and training programs, and how some marketing techniques like Sales Funneling, Creating Personas, and Purchase Intention can be leveraged to face these challenges.
The second part of the paper discusses best practices for building a security awareness program. This includes briefing outlining metrics (that appear to be inspired by marketing campaigns) that can be effective at measuring the success and effectiveness of security awareness programs.
This is not the first time these two organizations have partnered with each other. In addition to collaborating to produce whitepapers and webinars, ISACA training content for IT professionals is available through InfoSec Institute. This training is a complement to the end-user-focused training from InfoSec’s content library. Often we have requests from our members for lists of vendors who offer this more advanced training for IT staff, in addition to general training for the rest of the organization.
The most valuable part of the whitepaper is that relating to metrics. Reporting is a commonly discussed topic when speaking to our members about finding a security awareness and training vendor. Before signing with a vendor, you must be sure that they are able to provide the metrics that you care about the most. Below are some of the metrics outlined by ISACA and InfoSec, with our take applied to each:
- Reach: The number of people receiving security awareness and training in any capacity. This metric is usually determined first, before the training campaign has begun. Estimates may be necessary for certain types of training (e.g. posters).
- Questions to Ask a Vendor: Vendors would not provide metrics here – it will be up to you and your team to determine the reach of your program before each consecutive campaign deployment.
- Views/Hits: The number of times that a training resource has been accessed by end users. This could include landing pages for users who click links embedded in mock phishing emails, intranet training resources, CBT training resources, and sent mock phishing emails.
- Questions to Ask a Vendor: Does the vendor provide metrics around the number of mock phishing emails that were opened, or the number of times a landing page on their LMS that is accessible to end users was accessed?
- Engagement: The length of time a user engages with a training resource. Again, some of these will require estimates (e.g. posters).
- Questions to Ask a Vendor: Does the vendor provide time-based metrics for any of the resources that they offer? This could include metrics around disengagement (e.g. the amount of time between training assignment and training completion).
- Completion: The number of end users who have completed a training resource. This is a common reporting metric provided by vendors.
- Questions to Ask a Vendor: Does the vendor provide completion metrics beyond simple participation rates? This could include reported mock phishing emails, completed feedback surveys, and completion-by-group metrics.
Want to Know More?
Oracle reported slightly better-than-expected Q2 FY20 results, but despite substantial revenue numbers and high growth areas such as Oracle Cloud, Fusion ERP, and Autonomous Database, it’s unclear when these market segments will accelerate revenue growth materially.
Manual testing still has its merits today. However, it is often viewed as laborious and time consuming. Testpad simplifies this experience.
Ansible from RedHat has steadily gained market share since its introduction and has now surpassed its two main rivals (underscoring how quickly things change in DevOps). Will Ansible push Chef and Puppet out of the open-source configuration management tool market?
Microsoft continues to expand its integration with third-party tools for Azure DevOps. The latest plugin is for Octopus Deploy, a software configuration management tool with a 1.2% market share. Azure DevOps and Octopus Deploy work together to present users better visibility into their software pipelines, all the way from idea to production.
Azure DevOps has expanded its ecosystem of utility tools to include Tasktop, an integration plugin that connects Jira to Azure DevOps. Tasktop allows bi-directional synching of information (like user stories, priorities, tasks, etc.) with one-click actions, without having to leave the system they are working in (Azure DevOps or Jira).
The team at Rally Software (now a Broadcom company) has introduced several enhancements to their UI, Team Board, and is testing new integration.
The Ionic Framework is an open-source SDK that builds on popular standardized web technologies. Developers can use this toolkit to build hybrid mobile applications across multiple platforms.
Cisco is beginning to lose patience with its Zoom interoperability after another Zoom security risk: access for the Zoom Connector for Cisco hosted on zoom.us did not require authentication, allowing external users to join a Zoom meeting without password credentials.
On October 30, 2019, KnowBe4, a leader in the end-user security training space, was awarded Federal Risk and Authorization Management Program (FedRAMP) approval from the US federal government.