ENISA Presents Report on Information Security Awareness
ENISA, the European Union Agency created to advance the functioning of the Internal Market, presents the 1st European report on current practices on measuring successful awareness raising initiatives in information security across the EU, with responses from 67 European organisations headquartered in 9 different countries.
The report is providing an outline analysis of recommended security awareness practices, measurements of effectiveness and metrics, including case studies, of mainly governments and private companies within the European Union (EU).
ENISA commissioned PricewaterhouseCoopers LLP (PwC) to develop the report to offer a perspective on what governments and private companies are currently doing for assessing the impact and success of awareness raising activities.
The main areas studied are:
- The importance of information security awareness,
- Techniques to raise information security awareness, and
- Mechanisms to measure the effectiveness of awareness programs.
The publication gives an indication of what European organizations are currently doing to measure and improve information security awareness. Because of the self select nature of the study and limited sample size, the results should not be interpreted as statistically representative of European businesses and government departments as a whole.
Some key conclusions from the report:
Each organization needs to find the right balance between the mechanisms and techniques that are used to measure information security awareness initiatives. Keeping the approach simple tends to keep it cost effective. Quantifying security awareness is a struggle for organizations. But a balanced set of key performance indicators (KPIs) and metrics can provide real strategic insight into the effectiveness of awareness programs. Only with this insight organizations are able to change their programs from a compliance activity to one that really benefits their operations.
Source: ENISA
