A Review of Methods for Evaluating Security Awareness Initiatives
- PDF / 1,079,350 Bytes
- 29 Pages / 439.37 x 666.142 pts Page_size
- 83 Downloads / 231 Views
A Review of Methods for Evaluating Security Awareness Initiatives Giacomo Assenza1 · Andrea Chittaro2 · Maria Carla De Maggio1 · Marzia Mastrapasqua2 · Roberto Setola1 Received: 27 May 2019 / Accepted: 14 September 2019 © Springer Nature Switzerland AG 2019
Abstract The ‘human factor’ is commonly considered to be the weakest link in an organization’s security chain, and a significant percentage of companies have implemented security awareness (SA) programs to address this vulnerability. However, an element whose usefulness is still underestimated is the importance to perform measurements of the different SA programs’ effectiveness in order to assess their adequateness for achieving the intended goals. This gap has serious consequences as most of the security awareness campaigns have resulted to be largely unsuccessful. Awareness measurement tools might be determinant in providing feedback on the outcome of a program as well as in helping with the strategic planning for endorsing security. This article will introduce and critically compare a set of measurement methods. It will then discuss their attributes and suggested applications. Keywords Security awareness · Security awareness measurement · Security management · Critical infrastructure security
1 Introduction Today’s critical infrastructures are becoming increasingly complex and vulnerable, and the ‘human factor’ is largely considered to be the weakest link in their security chain (Mitnick and Simon 2011; Patrick et al. 2003). In fact, humans perform a wide range of critical and complex activities (managing crisis, communication, and implementation of procedures) where even a single mistake can rapidly escalate creating mass havoc and big failures. Addressing the human factor with proper awareness training is a condicio sine qua non to pursue the well functioning of companies * Roberto Setola [email protected] 1
Complex System and Security Lab, Università Campus Bio-Medico di Roma, Via Alvaro del Portillo, 21, 00128 Rome, Italy
2
SNAM, Corporate Security, Milan, Italy
13
Vol.:(0123456789)
G. Assenza et al.
in general and critical infrastructure in particular. Hence, security compliance is not possible without addressing the human issues with proper awareness and training (Bresz 2004; Tsohou et al. 2008). To date, although a significant percentage of companies have implemented or will implement security awareness (SA) programs, the number of those that have adopted procedures to measure the actual level of awareness is strikingly low. This discloses a deep discrepancy between the business sector and the academia that produced useful insights on the cruciality of performing SA evaluation, as well as suggesting measurement methodologies (Abawajy et al. 2008; Karjalainen and Siponen 2011; Rahim et al. 2015). Such a reluctance of organizations can have detrimental effects, as having implemented SA initiatives does not automatically ensure that employees comply with safety and security behaviors and respect the in-force standards and procedures
Data Loading...
