Back in May security professional Lance Spitzer wrote about the challenges facing security professionals in organizing, operating and assessing the maturity of an
organization’s security awareness program. It was a good that defines five levels of maturity from non-existent to long-term sustained and metrics. He followed this work up with a draft Security Awareness Roadmap.
Lance followed this up with the draft of the Security Awareness Roadmap, a graphical representation of the five level model. This is also a good work. I had a couple of suggestions which might make it better.
In level 2, the Compliance Focused level I think you should also identify an audience for security awareness training. That audience should be a group who can help either support and deliver the messages of the training, or a group that the training can reach whose behavior needs to be changed. In other words that audience should either be advocates or bad guys.
When you look at the deliverables in level 2 i’d suggest that you want to be able to report that given what training materials you purchased or acquired you reached some percantage of the target audience. This only helps when you reach level 3 – Promoting Awareness & Change. It gives you something to go to a potential executive sponsor with. It gives you people who can act as initial champions.
The draft has much of the WHO and the HOW in level 3. I would suggest that some thinking about that belongs in level 2.
Absent in the deliverables for level 3 is any discusion of metrics about the baseline survey. This is another opportunity to target an audience. If your orgainization has a combination of remote and headquarters employees; you may want to start out by reaching just the HQ employees first. That will likely be an easier audience to reach since you can go somewhere to interact with and see them.
In level 4 the plan suggests that you should “Identify when you will review your awareness program each year”. I’d suggest that you need to tie such a review to individual campaigns or learning programs. If you are trying to change employee behavior about password changing or password selection by using posters hanging around the workplace; you might need to look at how you assess that campaigns effectiveness as often as each week.