Security Awareness Metrics

Each phase of the security awareness program creation process is important. Design, development and implementation are all critical. However, the work does not end with implementation. By monitoring, measuring, and assessing the effectiveness of your SAP, you can ensure that the program gets the right information to the right people. As a result, employees will know how to implement the program to keep your organization's information secure. In addition, these measurements can help improve your program by identifying weaknesses and incorporating new techniques and technologies. To get started with this part of the development process, you need to analyze metrics and measurement methods to determine which will work best for your particular situation.

For this Discussion, you will evaluate security metrics based on what you know and have put together for Advanced Topologies, Inc. The "Information Security Metrics: Legal and Ethical Issues" case study from your textbook in this unit's Learning Resources provides information on existing metrics and developing security metrics. 

Post a 350- to 500-word evaluation of the metrics in the case study. Include a description of at least two features of the security awareness plan you developed for Advanced Topologies, along with corresponding metrics that you feel would work well to measure them.  Evaluate the security awareness metrics from the case study and determine which ones you would employ to keep Advanced Topologies on track. Make sure to justify your recommendations.

Readings

• Whitman, M., & Mattord, H. (2012). High-assurance computing: Topics & case studies. Boston, MA: Course Technology/Cengage Learning.
  • Chapter 7, "Security Management Practices" (pp. 247-274)
    This chapter describes key components and trends in information security management practices. You will examine how organizations meet reciprocal U.S. and international standards of practice.
  • Case 3, "Information Security Metrics: Legal and Ethical Issues" (pp. 399-411)
    In this chapter, you will focus on risk reduction and the development of security measures. You will explore security metrics, case studies, risk management programs, and spheres of control.
• Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program (NIST Special Publication 800-50). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
  • Chapter 6, "Post-Implementation" (pp. 35-39) 
    This chapter provides a step-wise guide for tasks you will need to perform once an awareness training program has been implemented.