5

Have any of you security professionals been able to get security performance metrics into reviews that managers conduct for their employees? If so, are there any helpful resources you could share to make that happen?

AviD
  • 72,138
  • 22
  • 136
  • 218
user35603
  • 71
  • 3
  • 1
    What does this even mean? How many times a user opened unsafe email attachments? How many times the user wrote their password on a sticky-note and left it on their desk? "Security performance metrics" is nondescriptive buzzword bingo. If users consistently perform such unsafe actions as to warrant a review of "security performance metrics", that seems to imply your organization's security policy has far deeper problems than its users violation of it. – Panther Modern Dec 13 '13 at 00:15
  • 1
    I'd say it could go both ways. Employees can be penalized AND incentivized. Personally I'd advocate for the latter. Consider performance indicators such as quiz results, attended security meetings, their resistance to phishing attacks . . . If a company REALLY believes security is important, it'd be in employee evaluations. – user35603 Dec 13 '13 at 00:39
  • 1
    "If a company REALLY believes security is important, it'd be in employee evaluations" - It already is: if you violate company security policies, you should be disciplined and/or fired depending on the severity thereof. If you give your users quizzes based on what you're teaching them, use those quizzes to evaluate the effectiveness of your training materials & security policy. Evaluating employees on things that aren't directly their job is...ludicrous. – Panther Modern Dec 13 '13 at 01:17
  • The problem is that the only thing security policies and actual security share is part of the name. – CodesInChaos Dec 13 '13 at 11:36

3 Answers3

6

I'd like to respectfully offer a different perspective from the perfectly valid answer and comments already here.

I'm reading between the lines a lot, but I believe the original question is trying to achieve quite a good (and difficult) thing - prioritize security awareness at departmental level, with objective measurements of awareness.

The effect being that various managers are kept aware of how good direct reports are with regards to IT security, and there are hard numbers to refer to, not individual incidents. It's not just left as another thing for HR to deal with - you're treating it as training, instead of discipline.

I feel that IT Security is so nuanced that individual managers are better suited to evaluate their direct reports than HR is.

Phishing is much more of a threat to senior managers or financial controllers. It's important that they are "phishing-resilient" because their accounts have access to business critical systems. I'm not fussed if the maintenance crew score poorly against phishing - their accounts are likely to have very few privileges. In contrast, the maintenance crew has to be great at physical security, because they have access to the entire building (which may include switch cabinets, cable runs, etc.)

The metrics part is great because it's better to have numbers from a careful study instead of single-case incidents. But this is the hard part.

To do this you would need a well-designed framework for constant and systematic evaluation of each staff member, AND a "red team" that constantly tries to tailgate into buildings, leaves "malicious" USB drives in employee parking lots, phish employees, email nude-pics.jpg.exe to staff, etc. At the end of the day, you could then indeed construct great objective measurements:

  • "Resistance to phishing attack": Received 24 test phishing emails, visited the phish page 2 times, entered credentials 0 times,
  • "Safe treatment of unknown USB Drives": Returned 2 out of 2 "lost" USB drives to the IT Helpdesk.

Excellent, but very resource intensive. You could then gamify the system to increase response by comparing ratings between departments, improvements over time, awards for perfect scores, etc.

If you planned on deriving metrics from non-training, real-world incidents, I would agree that those are much less useful for staff training and awareness.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 1
    I think this is a much better answer than the one by @ChrisLively, mostly for using a red team to create metrics in the first place. – Matrix Dec 13 '13 at 09:27
  • 1
    Overall this is a good answer. I would just add that you likely want to be careful implementing a "red team". For two reasons. The first is that results obtained might eventually be used in the perf reviews of the various managers; which may not be a good thing. Second is that if it is known when and/or the type of testing such a team performs then I could easily see managers alerting their staff ahead of time thereby defeating the purpose. To that end it would probably be more beneficial to hire an outside company to run random tests throughout the year. – NotMe Dec 13 '13 at 19:49
  • I agree entirely. You need a company with vision and leadership to put the metrics to "good" use, and the red team (internal or external) must have integrity beyond reproach. I would also like to add that once the metrics have been proven to be accurate and unbiased, I would have no problem using them for performance reviews - empirical evidence of good or poor security performance is immensely valuable. – scuzzy-delta Dec 13 '13 at 20:51
2

This is an answer simply because the comment system is too short.

I agree with Panther that "Security performance metrics" is essentially meaningless.

Your company should have a security policy and a way to enforce said policy. Your employee manual should be clear as to the repercussions of violating those policies. Whether it's a slap on the wrist or outright termination. At a minimum it should be putting the employee on notice for even a minor incident, with knowledge that a second incident results in job loss. For any "major" security breach such as handing out their password or, worse, PII to someone that isn't properly vetted, then it should be immediate termination and their stuff mailed to them.

The mechanics for handling such things are already HR 101 so there isn't really a need to add anything else to the review. "Oh, look you didn't violate our security policy. Good for you." or "look, I'd give you the raise but you are already in hot water over that nigerian scam email thing. Try again next year."

Regarding security training, etc, again those should be handled just like other job related training items are - a line item in their folder. Did they get a pretty certificate with their name on it? Coolio. Did they fail to attend any of your mandatory training which they would be fired for missing? -- well, that should sort itself out.

You mentioned "resistance to phishing attack".. What does that even mean? "Oh look, I see that you deleted 923,234 pieces of spam mail from your inbox last year. Good job!" ::eyeroll::

Yes, this answer is dripping with sarcasm. Not because I don't find security to be a topic every employee should be aware of. Rather, I find it to be a topic that should already be handled by your normal employee training, employee manual and existing HR policies. If it isn't, then you haven't done your job....and there should be a line item in your annual review for that.

NotMe
  • 696
  • 3
  • 11
0

What is it with this obsession on 'phishing resistance'? What about compliance with the security policies and procedures? What about spotting and reporting incidents, new risks, new opportunities? Getting actively involved in information security and risk management activities? Helping out with business continuity planning or testing security functions on new systems? .... There are loads of security-related things that security-aware employees do, and they can all be measured, if that's what you really want to do.

But, really, what's the point?

Take things back a couple of steps: what are the business objectives concerning employee security awareness? What is the organization trying to achieve? Somehow, I doubt 'phishing resistance' features on the list at all. So why measure it?

More likely are objectives such as 'Build a strong security culture' ... and measuring the culture takes us in a totally different metrics direction.

AviD
  • 72,138
  • 22
  • 136
  • 218
user35676
  • 1
  • We essentially agree. I listed "phishing resistance" as a simple example, not necessarily anything more. Employees doing stuff that enhances the security culture is a great goal if it can be measured. – user35603 Dec 16 '13 at 16:49