Comprehensive software reviews to make better IT decisions
ISACA and InfoSec Institute Produce Whitepaper on Using Marketing Techniques and Metrics for Improved Security Awareness Programs
ISACA has partnered with InfoSec Institute to produce a whitepaper on leveraging marketing techniques and metrics to improve security awareness. This is a valuable resource that contains universally applicable information.
ISACA released the whitepaper March 13 as a resource for building security awareness campaigns. The paper begins with a look at common challenges for security awareness and training programs, and how some marketing techniques like Sales Funneling, Creating Personas, and Purchase Intention can be leveraged to face these challenges.
The second part of the paper discusses best practices for building a security awareness program. This includes briefing outlining metrics (that appear to be inspired by marketing campaigns) that can be effective at measuring the success and effectiveness of security awareness programs.
This is not the first time these two organizations have partnered with each other. In addition to collaborating to produce whitepapers and webinars, ISACA training content for IT professionals is available through InfoSec Institute. This training is a complement to the end-user-focused training from InfoSec’s content library. Often we have requests from our members for lists of vendors who offer this more advanced training for IT staff, in addition to general training for the rest of the organization.
The most valuable part of the whitepaper is that relating to metrics. Reporting is a commonly discussed topic when speaking to our members about finding a security awareness and training vendor. Before signing with a vendor, you must be sure that they are able to provide the metrics that you care about the most. Below are some of the metrics outlined by ISACA and InfoSec, with our take applied to each:
- Reach: The number of people receiving security awareness and training in any capacity. This metric is usually determined first, before the training campaign has begun. Estimates may be necessary for certain types of training (e.g. posters).
- Questions to Ask a Vendor: Vendors would not provide metrics here – it will be up to you and your team to determine the reach of your program before each consecutive campaign deployment.
- Views/Hits: The number of times that a training resource has been accessed by end users. This could include landing pages for users who click links embedded in mock phishing emails, intranet training resources, CBT training resources, and sent mock phishing emails.
- Questions to Ask a Vendor: Does the vendor provide metrics around the number of mock phishing emails that were opened, or the number of times a landing page on their LMS that is accessible to end users was accessed?
- Engagement: The length of time a user engages with a training resource. Again, some of these will require estimates (e.g. posters).
- Questions to Ask a Vendor: Does the vendor provide time-based metrics for any of the resources that they offer? This could include metrics around disengagement (e.g. the amount of time between training assignment and training completion).
- Completion: The number of end users who have completed a training resource. This is a common reporting metric provided by vendors.
- Questions to Ask a Vendor: Does the vendor provide completion metrics beyond simple participation rates? This could include reported mock phishing emails, completed feedback surveys, and completion-by-group metrics.
Want to Know More?
COVID-19 has forced software companies and their suppliers to refocus efforts around prioritizing systems and workflows that are nearly 100% digital in nature. As a result, Info-Tech has observed the quick emergence of six market themes that are highly relevant post COVID-19. This note series will profile key vendors and how they fit into the post-COVID-19 world.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
COVID-19 has forced software companies and their suppliers to refocus efforts around prioritizing systems and workflows that are nearly 100% digital in nature. As a result, Info-Tech has observed the quick emergence of six market themes that are highly relevant after COVID-19. This note series will profile key vendors and how they fit into the post-COVID-19 world.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.
COVID-19 has changed a great deal about how businesses operate. From a security perspective, however, COVID-19 caught many businesses off guard. The shift from working in the office to working from home has made it difficult for security measures to keep pace. Specifically, how are businesses meant to maintain the same secure networks when their employees are no longer working in the office? Outside of the security of the IT departments, IT and security have a tough time ensuring that patching and vulnerability management remain at the forefront of a business’s priorities.
Is it true that everything that can go wrong will go wrong? Don’t bet on it to not.