Abstract

ABSTRACT Security awareness is an important element of every security infrastructure, especially since the human factor often proves to be the weakest link. Companies and organizations have developed programs that seek to promote security and enhance users' perception of the importance of exercising security. As raising awareness, however, is an on-going effort, the campaign has to be regularly evaluated so that corrective actions can be taken in order to achieve the best results. This paper addresses the importance of evaluating an organization's awareness program and provides guidelines and a methodology that will help organizations assess their efforts. The proposed framework includes the evaluation of individual awareness-related processes via respective metrics as well as the aggregation of the aforementioned metrics to produce an overall evaluation score, usable both as a benchmark for future iterations of the evaluation program as well as a figure presentable to higher management.