Comprehensive software reviews to make better IT decisions
ISACA and InfoSec Institute Produce Whitepaper on Using Marketing Techniques and Metrics for Improved Security Awareness Programs
ISACA has partnered with InfoSec Institute to produce a whitepaper on leveraging marketing techniques and metrics to improve security awareness. This is a valuable resource that contains universally applicable information.
ISACA released the whitepaper March 13 as a resource for building security awareness campaigns. The paper begins with a look at common challenges for security awareness and training programs, and how some marketing techniques like Sales Funneling, Creating Personas, and Purchase Intention can be leveraged to face these challenges.
The second part of the paper discusses best practices for building a security awareness program. This includes briefing outlining metrics (that appear to be inspired by marketing campaigns) that can be effective at measuring the success and effectiveness of security awareness programs.
Our Take
This is not the first time these two organizations have partnered with each other. In addition to collaborating to produce whitepapers and webinars, ISACA training content for IT professionals is available through InfoSec Institute. This training is a complement to the end-user-focused training from InfoSec’s content library. Often we have requests from our members for lists of vendors who offer this more advanced training for IT staff, in addition to general training for the rest of the organization.
The most valuable part of the whitepaper is that relating to metrics. Reporting is a commonly discussed topic when speaking to our members about finding a security awareness and training vendor. Before signing with a vendor, you must be sure that they are able to provide the metrics that you care about the most. Below are some of the metrics outlined by ISACA and InfoSec, with our take applied to each:
- Reach: The number of people receiving security awareness and training in any capacity. This metric is usually determined first, before the training campaign has begun. Estimates may be necessary for certain types of training (e.g. posters).
- Questions to Ask a Vendor: Vendors would not provide metrics here – it will be up to you and your team to determine the reach of your program before each consecutive campaign deployment.
- Views/Hits: The number of times that a training resource has been accessed by end users. This could include landing pages for users who click links embedded in mock phishing emails, intranet training resources, CBT training resources, and sent mock phishing emails.
- Questions to Ask a Vendor: Does the vendor provide metrics around the number of mock phishing emails that were opened, or the number of times a landing page on their LMS that is accessible to end users was accessed?
- Engagement: The length of time a user engages with a training resource. Again, some of these will require estimates (e.g. posters).
- Questions to Ask a Vendor: Does the vendor provide time-based metrics for any of the resources that they offer? This could include metrics around disengagement (e.g. the amount of time between training assignment and training completion).
- Completion: The number of end users who have completed a training resource. This is a common reporting metric provided by vendors.
- Questions to Ask a Vendor: Does the vendor provide completion metrics beyond simple participation rates? This could include reported mock phishing emails, completed feedback surveys, and completion-by-group metrics.