Measure Results Now!

“What doesn’t get measured, doesn’t get managed.”

 – Peter F. Drucker, Leader in Management Education

office meeting security awareness metrics Organizations that make a point to gather analytics and data, set meaningful metrics for their security awareness programs, and measure results are ahead of the curve and the competition. Why do some organizations lag in this area, while others succeed?

Companies are failing on the security front due to a lack of measurement – leadership in IT security find it challenging to measure and report on employees’ behavioral progress. When you collect metrics, you do not only measure the effectiveness of your security awareness program, but also provide the opportunity for continuous improvement and better security. Indeed, without consistent measurement, how can you expect to demonstrate performance?

Taking the time to quantify the effectiveness of security awareness procedures and present this information on a granular level ensures better understanding and appreciation for the security function within your organization.

As your information security program matures, it is possible to better document standard processes. When we continuously implement security awareness programs, we collect a greater quantity of data, which can later be used to measure results. Measurement needs to be conducted on a continuous basis.

Let us explore four indicators that are worth measuring to achieve a successful security awareness training program.

analyzing metricsNumber of Email Breaches Avoided or Detected

According to the Cyber Incident & Breach Trends Report from the Online Trust Alliance (OTA), the number of reported breaches in 2017 has increased to 160,000 incidents. The Identity Theft Resource Center (ITRC) and CyberScout’s 2017 Annual Data Breach Year-End Review put the increase at nearly 45%.

It is not easy to detect incidents as cyberattacks are increasingly more sophisticated. However, if we quantify the total number of breaches in relation to the quantity – and types – of breaches that were avoided, it becomes possible to detect and anticipate future attacks and areas of vulnerability. When we gather data on the number of breaches that occur in an organization, it becomes possible to avoid and detect them prior to their occurrence.

New Types of Attacks, Identified

You can start measuring re and trends by staying on top of the security threats, which are most common in your environment – from ransomware and worms to viruses and spyware. Your users’ ability to learn about and identify new attacks before they happen speaks to your organization’s strength in cybersecurity awareness.

Clean Desk Index

Keeping track of your team’s applicability of the Clean Desk Principle is key. This means knowing how many employees leave their computer screens without password protection, keeping data on who forgot to shred documents before putting them in the trash or keeping tabs on who failed to close file cabinets. We improve overall information security when everyone is responsible and records are kept.

Password Security

Passwords remain the primary authentication method for many systems. Concerns about potential privacy breaches mean that employees need to adopt best practices for password protection. Gathering intelligence on which passwords are most effective, and which are weaker, is critical. Avoiding easily guessable passwords, keeping passwords secure, and not sharing them accidentally and carelessly are elements that need to be quantified.

taking measures on wood

Keeping the Company Mission in Mind as You Measure Results

When we look at your company’s mission statement, it becomes possible to select the appropriate terminology to reflect your security awareness program and its objectives. Bridging the gap between metrics and goals is key when implementing any program within your organization.

Moreover, knowing that your audience is a significant factor when determining the metrics for your security awareness program. With this information, you can devise the kind of program that meets the needs of your organization. For example, you may decide to provide rudimentary training to one group and a more advanced curriculum to another.

Cyberattacks are proving to be quite sophisticated. Accordingly, organizations need to be equally innovative to adapt to such a reality. Raw performance data and metrics provide ongoing visibility into the security culture of your organization. By utilizing tools and technologies that enable the measurement and analysis of user behaviors, you improve the security of your organization.

So, what are you measuring?


Whether you’re responsible for protecting your business or your loved ones, security awareness training can reduce the risk of a cyber attack.

social engineering

You can learn more about setting up a security awareness program and educate your staff and loved ones on cyber security best practices. Download this infographic about the Security Awareness 5 Steps Framework.