security awareness
program scorecard
Your security awareness program score is
REACTIVE: This level is the starting point for any organization. At this level, security awareness is usually focused on the tactical steps to secure business activities or meet regulatory compliance mandates, with little attention towards creating a global security awareness strategy. Organizations generally recognize the business risks due to user vulnerabilities but lack in clearly defined security policies or procedures. Most security awareness activities are reactive and ad-hoc in response to incidents – rather than a proactive program with defined objectives. In most organizations with a low level of maturity, accountability for security awareness is usually assigned to an IT security analyst, with little involvement or buy-in from senior executives. In summary, some awareness activities may exist, but the security awareness program is lacking in having clear objectives and continuity.
PROACTIVE: At this level of maturity, information security starts to be embedded into the organizational culture. Security policies and procedures are documented and reviewed, with adequate delivery mechanisms to enable awareness and compliance. Organizations with a medium level of maturity are usually characterized by central management of all awareness activities, usually leveraging solutions for training and/or phishing simulations. Most of the time, awareness activities are mandatory, closely monitored and promoted by management. In summary, a security awareness program is in place with solutions to increase awareness, but activities are not orchestrated or optimized to drive effectiveness. Therefore, there may be missed opportunities in enabling long-term behavior change, developing a security-aware culture and maintaining ongoing executive support and buy-in for the program.
OPTIMIZED: This is assumed to be the highest maturity level. This state is characterized by having control over the security awareness needs of the organization, responsiveness to evolving threats, solid monitoring of the program and benchmarking program performance. Security awareness program metrics are collected and the program is regularly reviewed and updated. Information security is embedded into the culture of the organization, with high participation rates, executive support and orchestrated activities across all levels of the organization. Security awareness is a joint responsibility of business and IT security, and the program is integrated with human resources, legal and communications. In summary, security awareness is well-managed with opportunities to continue to adapt to the organization’s risk landscape and to optimize program results.
Summary
No matter where you are on your security awareness journey, the 5-step framework is designed to help you create a blueprint for a security awareness program that fits your organization. You can more easily manage your program, change behaviors, get measurable results and develop a security culture within your organization.
security awareness
program scorecard
Step 1: Analyze
No matter where you are on your security awareness journey, the 5-step framework is designed to help you create a blueprint for a security awareness program that fits your organization. You can more easily manage your program, change behaviors, get measurable results and develop a security culture within your organization.
Great job! These are areas that are increasing your security awareness program score:
- Continue assessing user knowledge, and use the results to identify gaps between your actual and desired states, and to prioritize topics for different audiences.
- Gathering insight on user behavior is a good practice to maintain. This helps you measure the level of secure behavior and alertness of your employees.
Here are some great opportunities to improve your security awareness program score:
- Including insights from risk assessments, audits and incident reports is highly recommended. This helps you identify risks that are impacting your organization.
- Start inquiring about your organization’s compliance obligations by contacting your legal, compliance or privacy teams. Incorporate those findings in your program.
- Consider leveraging security research reports as a valuable resource to uncover some of the most common high-risk user behaviors to address in your program.
- It is important to include current employees in your program. At a minimum, your program should increase their overall understanding of security threats.
- Start training new hires on security awareness during the on-boarding process, and communicating the importance of security within your organization.
- Temporary employees often have the same access to information and systems as regular employees. Consider including them as a target audience.
- Consider incorporating security awareness training as a requirement in order to establish strong and trusted business partnerships with partners and suppliers.
- You might consider including your clients as an audience in your program. This may reduce the number of incidents your customer support center encounters.
Great job! These are areas that are increasing your security awareness program score:
- Continue assessing user knowledge, and use the results to identify gaps between your actual and desired states, and to prioritize topics for different audiences.
- Gathering insight on user behavior is a good practice to maintain. This helps you measure the level of secure behavior and alertness of your employees.
- Good work including input from risk assessments, audits and incident reports. This gives you visibility into the risk areas that are impacting your organization.
- Continue consulting with business stakeholders. They can help identify compliance obligations that must be included in your awareness program.
Here are some great opportunities to improve your security awareness program score:
- Including insights from risk assessments, audits and incident reports is highly recommended. This helps you identify risks that are impacting your organization.
- Start inquiring about your organization’s compliance obligations by contacting your legal, compliance or privacy teams. Incorporate those findings in your program.
- Consider leveraging security research reports as a valuable resource to uncover some of the most common high-risk user behaviors to address in your program. should increase their overall understanding of security threats.
- Start training new hires on security awareness during the on-boarding process, and communicating the importance of security within your organization.
- Temporary employees often have the same access to information and systems as regular employees. Consider including them as a target audience.
- Consider incorporating security awareness training as a requirement in order to establish strong and trusted business partnerships with partners and suppliers.
- You might consider including your clients as an audience in your program. This may reduce the number of incidents your customer support center encounters.
Great job! These are areas that are increasing your security awareness program score:
- Continue assessing user knowledge, and use the results to identify gaps between your actual and desired states, and to prioritize topics for different audiences.
- Gathering insight on user behavior is a good practice to maintain. This helps you measure the level of secure behavior and alertness of your employees.
- Good work including input from risk assessments, audits and incident reports. This gives you visibility into the risk areas that are impacting your organization.
- Continue consulting with business stakeholders. They can help identify compliance obligations that must be included in your awareness program.
- You know the value of security research reports and benchmarks. Leverage them to uncover high-risk user behaviors you want to address in your program.
- Continue including current employees as a key audience in your awareness program. This audience should be targeted with topics that apply to everyone in the organization.
- Ensuring that your program reaches all employees, including new hires, is a good practice you should continue to follow.
- Providing security awareness training to clients is a demonstration of your organizations commitment to information security.
Here are some great opportunities to improve your security awareness program score:
- Temporary employees often have the same access to information and systems as regular employees. Consider including them as a target audience.
- Consider incorporating security awareness training as a requirement in order to establish strong and trusted business partnerships with partners and suppliers.
security awareness
program scorecard
Step 2: Plan
In this phase, you leverage your analysis to plan awareness campaigns with the right mix of program activities, topics, communication, and reinforcement tools. At this stage, knowing the concerns and training needs of your audience is crucial for planning an effective campaign. You should be thinking of how other departments with a stake in security awareness - such as learning, communications, human resources and compliance - should be involved. In doing so, they can provide feedback on the program plan, help secure funding, and help employees understand the importance of the cyber security awareness program.
Great job! These are areas that are increasing your security awareness program score:
- Involving IT security is a good practice to maintain. The IT Security team can help you get guidance on topic selection and assist in reviewing awareness material for relevance.
- Continue involving your legal and privacy teams so they can help identify specific regulations or contractual requirements that impact your campaign planning.
Here are some great opportunities to improve your security awareness program score:
- Remember: Your HR department needs to be involved, especially when the awareness program becomes mandatory or if your organization has unionized employees.
- Consider working with a communications advisor to oversee the awareness program communication strategy, messages and establishing a communications calendar.
- Involving IT staff who support aspects of your program - such as the learning management system, single sign-on and service desk – can be critical for campaign success.
- Consider planning general awareness campaigns on topics that apply to all employees to increase their overall understanding of security risks, and to instill a security culture.
- Some functions are more exposed to sensitive data (e.g. personal, health, or credit card data). Consider targeted campaigns for those functions around the risk factors relevant to their jobs.
- Remember: Not all users are exposed to the same risks and technologies. Targeted awareness based on technology or risk exposure will increase relevance of content for users.
- Managers can act as ambassadors and help promote awareness activities to their staff. Consider targeted content for managers to boost your program effectiveness.
- Including executives as an audience in your campaigns is strongly recommended. They should be aware of the risks facing their organization and committed to the program’s objectives.
Great job! These are areas that are increasing your security awareness program score:
- Involving IT security is a good practice to maintain. The IT Security team can help you get guidance on topic selection and assist in reviewing awareness material for relevance.
- Continue involving your legal and privacy teams so they can help identify specific regulations or contractual requirements that impact your campaign planning.
- A communications advisor can oversee the communication strategy, messages and planning. Continue to involve communications in planning your awareness program.
- You recognize the central role IT administrators play in supporting the implementation of the solutions and technical components of your awareness program.
Here are some great opportunities to improve your security awareness program score:
- Your organization may be subject to regulations or contractual requirements. Don’t forget to consult your legal and privacy teams when planning your awareness program campaigns.
- Consider planning general awareness campaigns on topics that apply to all employees to increase their overall understanding of security risks, and to instill a security culture.
- Some functions are more exposed to sensitive data (e.g. personal, health, or credit card data). Consider targeted campaigns for those functions around the risk factors relevant to their jobs.
- Remember: Not all users are exposed to the same risks and technologies. Targeted awareness based on technology or risk exposure will increase relevance of content for users.
- Managers can act as ambassadors and help promote awareness activities to their staff. Consider targeted content for managers to boost your program effectiveness.
- Including executives as an audience in your campaigns is strongly recommended. They should be aware of the risks facing their organization and committed to the program’s objectives.
Great job! These are areas that are increasing your security awareness program score:
- Involving IT security is a good practice to maintain. The IT Security team can help you get guidance on topic selection and assist in reviewing awareness material for relevance.
- Continue leveraging Human Resources. They can help establish security awareness as part of the on-boarding process and make it mandatory for all employees.
- A communications advisor can oversee the communication strategy, messages and planning. Continue to involve communications in planning your awareness program.
- You recognize the central role IT administrators play in supporting the implementation of the solutions and technical components of your awareness program.
- Continue involving your legal and privacy teams so they can help identify specific regulations or contractual requirements that impact your campaign planning.
- You recognize the importance of having a general awareness campaign that targets all your employees to increase their overall understanding of security risks.
- Campaigns based on function is a good practice. It helps maximize the effectiveness of your campaigns by targeting functions with topics that are relevant to their jobs.
- Continue with targeted campaigns based on technology or risk exposure. This increases the relevance of content, as not all users are exposed to the same risks or technologies.
Here are some great opportunities to improve your security awareness program score:
- Managers can act as ambassadors and help promote awareness activities to their staff. Consider targeted content for managers to boost your program effectiveness.
- Including executives as an audience in your campaigns is strongly recommended. They should be aware of the risks facing their organization and committed to the program’s objectives.
security awareness
program scorecard
Step 3: Deploy
During this phase, cyber security awareness campaigns are carried out based on the plan and the metrics previously established. Sustained communication with the program audience is critical for reinforcing key points through both physical and online tools. Communication begins by announcing the launch of the program and continues by emphasizing core messages through repetition, using diverse communication channels. During the Deploy phase, you mobilize participants through strategic communications that serve as “megaphones” for program activities and key messages to maximize impact.
Great job! These are areas that are increasing your security awareness program score:
- Interactive e-learning is a very effective tool for increasing knowledge acquisition and retention. Continue to leverage e-learning in your program.
- Continue to leverage phishing simulations for quantitative insight into your organization’s vulnerability to phishing attacks, and as a just-in-time training opportunity.
Here are some great opportunities to improve your security awareness program score:
- Employees need to be aware of the physical tactics criminals use to compromise information security. Consider using social engineering tests in future campaigns.
- Try using articles, blogs or videos in campaign announcements and knowledge reinforcement. This helps keep communication interesting and varied for your users.
- Consider reinforcement with posters, screensavers and desktop wallpaper. They can serve as daily reminders of best practices, threat risks or upcoming awareness events.
- Including corporate policies in your program is strongly recommended. Users must be aware of the behaviour required to comply with policies and compliance obligations.
- Consider using interactive learning games and exercises to increase participation, engagement and knowledge retention.
- Start using real life scenarios and public news stories on security breaches to educate your users and reinforce key awareness program messages.
- Including procedures for reporting incidents is highly recommended. Users must recognize events that require a notification, what to do and who to contact.
- Consider leveraging just-in-time training content at key learning moments, such as when a user fails a phishing test.
Great job! These are areas that are increasing your security awareness program score:
- Interactive e-learning is a very effective tool for increasing knowledge acquisition and retention. Continue to leverage e-learning in your program.
- Continue to leverage phishing simulations for quantitative insight into your organization’s vulnerability to phishing attacks, and as a just-in-time training opportunity.
- You recognize the added value of social engineering tests to raise employee awareness around the physical tactics criminals use to compromise information security. .
- Using articles, blogs and videos is a good practice to maintain, especially for campaign announcements and for knowledge reinforcement.
Here are some great opportunities to improve your security awareness program score:
- Consider reinforcement with posters, screensavers and desktop wallpaper. They can serve as daily reminders of best practices, threat risks or upcoming awareness events.
- Including corporate policies in your program is strongly recommended. Users must be aware of the behaviour required to comply with policies and compliance obligations.
- Consider using interactive learning games and exercises to increase participation, engagement and knowledge retention.
- Start using real life scenarios and public news stories on security breaches to educate your users and reinforce key awareness program messages.
- Including procedures for reporting incidents is highly recommended. Users must recognize events that require a notification, what to do and who to contact.
- Consider leveraging just-in-time training content at key learning moments, such as when a user fails a phishing test.
Great job! These are areas that are increasing your security awareness program score:
- Interactive e-learning is a very effective tool for increasing knowledge acquisition and retention. Continue to leverage e-learning in your program.
- Continue to leverage phishing simulations for quantitative insight into your organization’s vulnerability to phishing attacks, and as a just-in-time training opportunity.
- You recognize the added value of social engineering tests to raise employee awareness around the physical tactics criminals use to compromise information security. .
- Using articles, blogs and videos is a good practice to maintain, especially for campaign announcements and for knowledge reinforcement.
- Keep leveraging posters, screensavers and desktop wallpaper as daily reminders about security best practices, threat risks or upcoming awareness events.
- By leveraging corporate policies in your program content, users can be aware of the behaviour required to comply with internal policies and compliance obligations.
- Continue using learning games and exercises in your program. Interactivity contributes to increasing participation, engagement and knowledge retention.
- You recognize the opportunity in using real life scenarios and public news stories on security breaches as a learning tool, and as a way to effectively reinforce key messages.
Here are some great opportunities to improve your security awareness program score:
- Including procedures for reporting incidents is highly recommended. Users must recognize events that require a notification, what to do and who to contact.
- Consider leveraging just-in-time training content at key learning moments, such as when a user fails a phishing test.
security awareness
program scorecard
Step 4: Measure
The measure phase allows you to evaluate the overall success of the program: is it meeting objectives and changing user behavior? what necessary adjustments need to be made to improve program effectiveness? Assessing cyber security awareness programs requires that you acknowledge several core factors that directly influence success. Having the right metrics and key performance indicators (KPIs) that you can measure and report on is critical for ongoing program success.
Great job! These are areas that are increasing your security awareness program score:
- By collecting training participation, you have a good start in tracking progress and effectively monitoring participation rates for your awareness program.
- You recognize the importance of measuring knowledge retention. We agree that to change behaviors, users first need to know the right thing to do!
Here are some great opportunities to improve your security awareness program score:
- Start gathering user behavior metrics such as phishing test results and incident reports. This helps you capture the state of user behavior and how it is changing over time.
- Remember: users who routinely fall victims to cyber attacks pose a security risk to your organization and require special attention. Start tracking “repeat offender” metrics.
- Consider collecting “content appreciation by audience” metrics leveraging survey tools, this helps you understand the relevance of content and areas to improve.
- Discuss with HR the possibility of applying negative consequences, such as additional training or removing privileges, for unmotivated users and repeat offenders.
- Consider rewarding employees for secure behavior (e.g. spotting and reporting a skilfully crafted phishing email) or for acknowledging top program participants.
- Just-in time feedback in highly recommended as a follow-up mechanism for reducing the risk of undesired behavior with relevant and actionable information.
- Communicating insecure behavior and incidents that affected your organization can help alert users, especially if your organization is being targeted with a specific threat.
- Communicating secure behaviors at large is an effective approach to get employees motivated and engaged. Consider adding this tactic to your follow-up toolbox.
Great job! These are areas that are increasing your security awareness program score:
- By collecting training participation, you have a good start in tracking progress and effectively monitoring participation rates for your awareness program.
- You recognize the importance of measuring knowledge retention. We agree that to change behaviors, users first need to know the right thing to do!
- Continue gathering user behavior metrics such as phishing test results, service desk tickets and security incident reports.
- Tracking repeat offenders is a good practice to maintain. This helps identify users who routinely fall victim to cyber attacks and require special attention.
Here are some great opportunities to improve your security awareness program score:
- Consider collecting “content appreciation by audience” metrics leveraging survey tools, this helps you understand the relevance of content and areas to improve.
- Discuss with HR the possibility of applying negative consequences, such as additional training or removing privileges, for unmotivated users and repeat offenders.
- Consider rewarding employees for secure behavior (e.g. spotting and reporting a skilfully crafted phishing email) or for acknowledging top program participants.
- Just-in time feedback in highly recommended as a follow-up mechanism for reducing the risk of undesired behavior with relevant and actionable information.
- Communicating insecure behavior and incidents that affected your organization can help alert users, especially if your organization is being targeted with a specific threat.
- Communicating secure behaviors at large is an effective approach to get employees motivated and engaged. Consider adding this tactic to your follow-up toolbox.
Great job! These are areas that are increasing your security awareness program score:
- By collecting training participation, you have a good start in tracking progress and effectively monitoring participation rates for your awareness program.
- You recognize the importance of measuring knowledge retention. We agree that to change behaviors, users first need to know the right thing to do!
- Continue gathering user behavior metrics such as phishing test results, service desk tickets and security incident reports.
- Tracking repeat offenders is a good practice to maintain. This helps identify users who routinely fall victim to cyber attacks and require special attention.
- You seem to have insight into satisfaction and content appreciation by audience which can help you understand the relevance of program content and areas to improve.
- By applying negative consequences, such as additional training or removing privileges, you can help improve the behavior of unmotivated users and repeat offenders.
- You recognize the value of positive consequences, such as recognition or rewards, as a good way to reinforce secure behavior and build a security culture.
- Continue providing just-in time feedback to reduce the risk of undesired behavior with relevant and actionable information.
Here are some great opportunities to improve your security awareness program score:
- Communicating insecure behavior and incidents that affected your organization can help alert users, especially if your organization is being targeted with a specific threat.
- Communicating secure behaviors at large is an effective approach to get employees motivated and engaged. Consider adding this tactic to your follow-up toolbox.
security awareness
program scorecard
Step 5: Optimize
Optimizing your awareness program will help drive ongoing behavior change, keep your program relevant and demonstrate program value to stakeholders. Your program should be reviewed and updated at least annually. By leveraging insights from KPIs and metrics collected, industry benchmarks, new regulations and the latest security threats, you can better adapt and optimize your program to the ever-changing threat landscape.
Great job! These are areas that are increasing your security awareness program score:
- Continue reporting performance metrics to the program manager. This will help in identifying and applying appropriate changes to optimize the program.
- You recognize the importance of reporting program performance to the program sponsor, as this helps with continued support and investment in the program.
Here are some great opportunities to improve your security awareness program score:
- Consider reporting on program performance to your executive security committee to demonstrate compliance and communication of policies and procedures.
- Start reporting program performance to department leads, especially if participation is not at the expected levels for their departments.
- Remember: reporting program results to your audience can help create friendly competition, increase participation and demonstrate the importance of the program.
- Start reviewing program results and comparing against objectives to identify strengths and weaknesses, and to apply the appropriate changes to optimize your program.
- Remember: it is important to update your awareness program at least one a year so you can better meet program objectives and keep cyber security top of mind.
- Start leveraging stakeholder and user feedback to optimize your program. This can provide valuable insights for taking your program to the next level.
- Evaluating the risk landscape affecting our organization should be a priority in optimizing your program and keeping it relevant and effective.
- Your program needs to stay current on all policy changes, contractual agreements and compliance obligations. Start incorporating this practice when optimizing your program.
Great job! These are areas that are increasing your security awareness program score:
- Continue reporting performance metrics to the program manager. This will help in identifying and applying appropriate changes to optimize the program.
- You recognize the importance of reporting program performance to the program sponsor, as this helps with continued support and investment in the program.
- Program reporting to your executive security committee is a good practice to maintain for demonstrating compliance and communication of policies and procedures.
- Reporting program performance to department leads helps you share participation results, and continue to get department lead support.
Here are some great opportunities to improve your security awareness program score:
- Remember: reporting program results to your audience can help create friendly competition, increase participation and demonstrate the importance of the program.
- Start reviewing program results and comparing against objectives to identify strengths and weaknesses, and to apply the appropriate changes to optimize your program.
- Remember: it is important to update your awareness program at least one a year so you can better meet program objectives and keep cyber security top of mind.
- Start leveraging stakeholder and user feedback to optimize your program. This can provide valuable insights for taking your program to the next level.
- Evaluating the risk landscape affecting our organization should be a priority in optimizing your program and keeping it relevant and effective.
- Your program needs to stay current on all policy changes, contractual agreements and compliance obligations. Start incorporating this practice when optimizing your program.
Great job! These are areas that are increasing your security awareness program score:
- Continue reporting performance metrics to the program manager. This will help in identifying and applying appropriate changes to optimize the program.
- You recognize the importance of reporting program performance to the program sponsor, as this helps with continued support and investment in the program
- Program reporting to your executive security committee is a good practice to maintain for demonstrating compliance and communication of policies and procedures.
- Reporting program performance to department leads helps you share participation results, and continue to get department lead support.
- You acknowledge the importance of reporting program results directly to your audience to demonstrate your organization’s ongoing attention to information security.
- Reviewing program results and comparing against objectives, to identify strengths and weaknesses, is at the core of optimization. Continue to incorporate this key practice.
- Updating your awareness program at least once a year is a good practice to maintain. This helps you better meet program objectives and keep cyber security top of mind.
- Adjusting your program based on stakeholder and user feedback is a demonstration of your commitment to continuously moving your program forward.
Here are some great opportunities to improve your security awareness program score:
s- Evaluating the risk landscape affecting our organization should be a priority in optimizing your program and keeping it relevant and effective.
- Your program needs to stay current on all policy changes, contractual agreements and compliance obligations. Start incorporating this practice when optimizing your program.
Want to optimize your program for future success? Schedule a free session with security awareness coach to take it to the next level.