1 00:00:00,005 --> 00:00:03,004 - [Instructor] Security education is an important component 2 00:00:03,004 --> 00:00:07,001 of any organization's information security program. 3 00:00:07,001 --> 00:00:10,004 If employees don't know their security responsibilities, 4 00:00:10,004 --> 00:00:13,000 you can't depend upon them to do their part 5 00:00:13,000 --> 00:00:15,003 to protect information and systems. 6 00:00:15,003 --> 00:00:18,009 It's important that organizations take steps to measure 7 00:00:18,009 --> 00:00:23,005 the effectiveness of their security education efforts. 8 00:00:23,005 --> 00:00:25,007 In an earlier video, we looked at one way 9 00:00:25,007 --> 00:00:28,003 to measure security awareness through the use 10 00:00:28,003 --> 00:00:30,008 of simulated phishing campaigns. 11 00:00:30,008 --> 00:00:32,009 That certainly is a valid way to measure 12 00:00:32,009 --> 00:00:36,006 the effectiveness of anti-phishing education programs. 13 00:00:36,006 --> 00:00:39,004 But you don't need to go to those great lengths to measure 14 00:00:39,004 --> 00:00:44,000 the effectiveness of your security education program. 15 00:00:44,000 --> 00:00:46,004 Security awareness measuring efforts 16 00:00:46,004 --> 00:00:48,002 don't need to be complicated. 17 00:00:48,002 --> 00:00:51,005 One easy way to measure the effectiveness of your program 18 00:00:51,005 --> 00:00:53,007 is simply to ask users how they feel 19 00:00:53,007 --> 00:00:56,008 about security education in a survey. 20 00:00:56,008 --> 00:00:59,004 You might simply ask, how well do you think 21 00:00:59,004 --> 00:01:01,008 our organization prepares you to deal 22 00:01:01,008 --> 00:01:04,000 with information security threats? 23 00:01:04,000 --> 00:01:08,004 Or, do you know your information security responsibilities? 24 00:01:08,004 --> 00:01:10,007 You can also measure how well you're educating 25 00:01:10,007 --> 00:01:14,003 users about incident response practices by asking, 26 00:01:14,003 --> 00:01:17,008 do you know where to report a security incident? 27 00:01:17,008 --> 00:01:19,006 These survey-based measures give you 28 00:01:19,006 --> 00:01:22,000 a good perspective on how well prepared 29 00:01:22,000 --> 00:01:25,004 your workforce is to deal with security issues. 30 00:01:25,004 --> 00:01:28,008 This approach to measuring security education is most 31 00:01:28,008 --> 00:01:33,000 effective if you look at how answers change over time. 32 00:01:33,000 --> 00:01:36,000 You might insert a few security related questions 33 00:01:36,000 --> 00:01:38,005 into a quarterly employee survey 34 00:01:38,005 --> 00:01:41,009 and then watch how the answers change as you try 35 00:01:41,009 --> 00:01:45,007 different security awareness and training initiatives. 36 00:01:45,007 --> 00:01:49,002 You should use the results of security awareness surveys 37 00:01:49,002 --> 00:01:52,006 to help select new training and awareness tools, 38 00:01:52,006 --> 00:01:54,006 as well as tailor the message 39 00:01:54,006 --> 00:01:57,007 to answer changing user questions. 40 00:01:57,007 --> 00:02:00,006 The metrics that you collect on security awareness 41 00:02:00,006 --> 00:02:03,009 should complement other security metrics initiatives 42 00:02:03,009 --> 00:02:07,009 designed to evaluate your security and compliance posture.