Is it because you are required to, or that you have a phishing problem, or that you truly believe employee security education will help you protect your organization? There is no wrong answer. The important part is answering the question before you begin, or continue, your program.
Answering this question is the first step in determining how to approach your security education program and how you’ll measure the results of the program. It’s also the best way to get internal buy-in and cooperation during implementation.
Here are some easy steps to defining your objectives:
1. Write down three problems you’d like to address with security education.
Here are some idea starters:
- Reduce the number of malware infectionsGet employees to identify and avoid phishing attacks
- Comply with regulations
- Reduce the number of PC’s you have to clean
2. Determine how you can measure progress towards solving these problems.
Ask yourself these questions:
- Do you know the number of malware infections per month now? Do you want to reduce it by 10% or more? What’s reasonable?
- Do you know how many “successful” phishing attacks occur in your organization now? Can you estimate the cost of these “successful” attacks?
- How many security incidents do you have a month? Or security related calls into your helpdesk?
- What are the costs to clean a PC and do you have help desk tickets that show how many you clean each month and how many hours that takes?
3. Do the math and determine the savings associated with addressing these problems.
Here are some tips:
- Make it reasonable. Even a reduction of 15% in these areas will likely be enough savings to get attention.
- Are there any ancillary benefits from the program? Possibly increased safety for your employee’s personal identity or financial information, or reduced risk by threats coming from your employee’s personal PCs or devices?
- Start small. If you start with a conservative estimate and exceed it you look like a hero. But be careful, people will expect even more from you next year.
In Conclusion
These three steps will help you craft a succinct presentation to your boss and his or her peers about why the company should be investing in security education. This will be a great way to start off your 2014 security awareness and training program with a compelling argument to department heads, and executive management about how the business can benefit from cyber-smart employees.