2018-01-29

Why Evaluate Your Program

Part of annual policy review

If you don’t evaluate you will never improve

Continual review will help protect your budget

Start At The Outside and Move Your Way In

Awareness and Education is how most people in your org know the program

Threat Mapping maps the outside threats to your inside controls & tech

Communications is that final turn from the inside out

Measuring Awareness & Education

What do you think you do?

Mandatory CBLs

CyberCyberCyberStuff (Posters, Email, Swag)

Briefings and Classes

Phishing Awareness

$NOVEL_IDEA

How do you measure it?

How many people is it designed to engage?

How many people were actually engaged?

Not how many people took the awareness, how many people were ENGAGED?

How did they do? (CBL completions, % phished, reviews, etc)

Are you being honest with yourself?

If CBL_Completion = 15(clicks) then you may want to rethink that

0% phished is not a sign of a great security program...more likely a sign of a bad phishing program

If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)

Adjusting The Program

Don’t change the measurement...change the program

The key to long term success is consistently measuring the same thing over time

You may want to update goals (up or down) but be able to explain why especially if you are making the test easier

Don’t make drastic changes until Year 3 unless you have to make drastic changes

Big changes in delivery will skew the numbers in ways you likely will not like

Constant large turmoil is counter to most corporate cultures

Small changes take advantage of previous investments best

“Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time

Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect

If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”

Show more