Information security awareness initiatives: Current practice and the measurement of success

August 2007

Organisations, whether private or public, are increasingly recognising the importance of information security awareness.

The European Network and Information Security Agency (ENISA) commissioned PricewaterhouseCoopers to assess the impact and success of security awareness initiatives in different organisations. The report analyses how organisations are approaching information security awareness and the measurement of effectiveness. It focuses on cultural change, the ways in which sets of metrics and key performance indicators (KPIs) can pay off, and how assessing methods can contribute to the development of a wider culture of security.

Main issues include:

• Each organisation should find the right balance for them: there is not “one size fits all” solution
• Keeping the approach simple tends to keep it cost effective
• A balanced set of KPIs and metrics can provide real insight into the effectiveness of awareness programmes
• Only with insight are organisations able to change their programmes from compliance activity to one that really benefits their organisation