Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 16

The ultimate goal of a security awareness program is to change and improve security-related behaviors. Security programs are created to reduce loss. As an essential part of an organization’s overall information security program, security awareness should likewise reduce loss.

In Chapter 8, I discuss some metrics you can use to judge whether your awareness program successfully reduces loss. Many security awareness professionals talk about the likeability of their tools, the number of people who show up to their events, and the quality of their posters. These metrics and general impressions are nice to know, but they’re relatively useless from a practical perspective.

A metric demonstrating that you’re changing behaviors in a way that reduces loss, or preferably improves efficiency and makes the organization money, is the most useful metric to show that you’re producing value. This isn’t to say that it’s the only possible benefit of a security awareness program. Awareness programs also often provide intangible benefits to the organization. These benefits include protecting the organization from damage to its reputation, illustrating that the organization is committed to security, generating excitement and engagement among employees, and reassuring customers that your organization is actively protecting them.

If your goal is to contribute to your organization’s security effort, you must identify the benefits your program will bring to the organization. These benefits can’t be that the program merely provides information. The program should improve behaviors. You must be able to show how the program returns clear value to your organization, and this value should ideally return clear value to the bottom line.