The right metrics can make or break a security program (or a budget meeting).

Just how effective is all of that "soft" spending on security awareness training? Steve Santorelli of Team Cymru says there are ways to track and measure that, primarily through phishing and social engineering stress testing, where you test you staff for phishing awareness and social engineering awareness.

Basically, you run a fake phishing campaign and make a few hoax calls," says Santorelli, director of analysis and outreach for the research firm. "Reward and publicize good results, help failures to learn from their errors, and you'll have folks actively watching out for these attacks--for a few weeks at least."

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights