31st March 2020
In order to train and improve the security awareness of employees over the long term, 5 steps should be followed to build and maintain a cyber security culture. In the course of this blog series, we introduce you to these 5 steps, including specific tactics that will lead to success. Part 3 examines the aspect of measuring and tracking changes when building a cyber security culture.
Many companies face the challenge of establishing a security culture in the enterprise and implementing security awareness measures, without knowing whether these measures are being carried out by the employees and whether the security culture is becoming an integral part of life at work. Other companies are unclear about the level of security awareness of their employees.
To measure the current state of a security culture and of security awareness, we have developed a solution that has been helping companies to determine how “secure” their employees are, since 2005. The Security Awareness Radar® describes and measures the organizational behavior of a company over time and thus also allows changes to be made visible and comparisons to be made. In this article, you will find out what the Security Awareness Radar® is and how it works.
Measuring the status of a security culture means determining the behavior of employees. This is necessary if you want to strengthen and promote your security culture. But the question then is, how do you make this ongoing process visible? How can you measure and monitor both information security and the measures that are being implemented? Many companies find this difficult. They implement security awareness measures, but do not know how cost-effective they are, i.e. whether the measures have brought about a change in behavior. Yet this information is needed to receive support and funds from different levels of management. Determining the cost of a campaign is not difficult, but establishing its usefulness and success is another matter. These latter items only become visible in the changes in behavior (1). For example, a phishing test allows the behavior of employees to be checked for phishing. However, this is not enough to know how an organization is developing. For this, behavior in general must be observed more comprehensively. What then are the metrics to choose to measure behavior?
Of course, organizations can define their measurement criteria and carry out measurements themselves. However, this requires specific expertise that is often not available. Lack of time is also largely responsible for preventing good ideas and plans from being implemented.
TreeSolution has developed a scientifically based measuring instrument to meet this challenge by measuring and making security awareness in companies visible.
This instrument is an online questionnaire that can be filled in anytime, anywhere. The survey can be done initially to evaluate the state of security in the company. It can also be used as a recurring tool for checking the change in behavior over time.
The questionnaire addresses topics at organizational, group and individual levels and provides suitable improvement measures. These can be integrated smoothly into an ISO 27001-based information security management system (ISMS). The appropriate ISO 27001 reference is given for each measure.
The survey targets various parameters. Among other things, there are questions on the value system, knowledge and perception of employees in relation to information security. The strengths and weaknesses of a security culture are shown before and after the implementation of measures. In this way, the areas of awareness, behavior and culture are covered and clearly presented in the evaluation. If a company carries out recurring surveys, changes can be tracked over the longer term.
With continuous comparability of security awareness, gap analysis shows where a company is today and where it needs to be tomorrow.
The method has been tested scientifically and in practice and is suitable for any size of company. Thanks to years of experience, the measures are effective and can be implemented.
The nature and number of the questions to be sent to the employees are defined together with the customer. If required, the survey template is customized with the customer's corporate design to increase the sense of familiarity for the employees. In-house vocabulary is also used for departments, areas and terms.
After the questionnaire has been created, it is sent to selected employees. The selection can be the whole company or just certain departments. The survey is anonymous and does not allow any conclusions to be drawn about the participants. If the departments are too small or if insufficient questionnaires are answered within a department, the questions are assigned to the department at the next level up. The employees can respond to the survey on their computers, making it independent of time and location. Depending on the number of questions, the survey takes 10-15 minutes.
After the survey is completed, TreeSolution evaluates it and the results are made available.
The measures for improvement are then planned together with the customer. The first step is to define what the information security culture should look like. Based on this, the customer decides which aspects of the information security culture should be maintained, improved or completely changed (the gap analysis). The target groups are defined, and the appropriate tools and measures are selected and prioritized. Improvement and planning are also supported by the powerful and automated processes of our Security Awareness Radar®.
The first employee survey assesses the initial situation. With regular repetition, the results show changes in the information security culture and help to justify investments. However, this means that most of the questions must be kept constant.
The aim of the survey is to measure the current state of the security culture. It must determine the weakest link in the information security culture and enable the resolution of this weakness as a priority.
If the survey is repeated regularly, changes in security behavior can be made visible.
When selecting the questions, at least two questions per domain should be selected so that a statement can be made about the behavior in this area.
For the survey to remain anonymous, the organizational evaluation should not be too granular, so that no conclusions can be drawn about individual people.
It is also important to avoid the use of “vanity metrics”. These are metrics such as the number of service desk tickets or the number of trained employees in a year. Unfortunately, such metrics say nothing about the behavior of employees and should not be the only measurement parameters. Of course, they can be specified as ancillary information in reports.
The customer and the specific requirements for the customer’s organization are our starting point for measurements with the Security Awareness Radar®. This means that the survey and the results will look different for each company. No company and no information security culture are like any other. The Security Awareness Radar® takes this into account.
Thanks to benchmarking settings, a company can anonymously compare its results with industries and companies of similar size. Strengths and weaknesses in can be identified quickly and clearly through comparison to the benchmark and corresponding improvement measures can be planned. On the one hand, there is an overall comparison with other industries; on the other hand, there are also comparisons of the individual survey domains with the results of the company and the best and worst from the industry being compared.
You can even compare between departments or branches as well as employee categories within your company, for example.
The survey is a step towards making information security in a company a part of everyday business and a part of daily life in the workplace for all employees. Security awareness can be increased with the Security Awareness Radar® thanks to the optimal evaluation of before and after measurements.
Daniel Graf from the IT control body of the federal ISB says: «The Security Awareness Radar® check-up survey provided us with insights that helped us better plan future investments and campaigns. The collaboration with TreeSolution gave us security-relevant input, which we were able to implement immediately.»
As already mentioned, any company is free to develop and carry out a measurement of its security awareness by itself. It just needs to have both the know-how and the time. However, if one or even both these resources are missing, companies are better advised to work with a professional service provider. The subsequent implementation of measures can be done by the company, or again by using professional support. TreeSolution is happy to provide conceptual advice and consulting support with discretion for each customer.
1) Informationssicheres Verhalten automatisiert messen, Absatz 1. https://www.researchgate.net/publication/327572560_Informationssicheres_Verhalten_automatisiert_messen