Page 8 - Cyber-Security-Awareness-Program _Methodology_eBook_InfoSight
P. 8

If organizations take strategic            Testing helps determine how well your
measures to create a training              “students” have retained the information being
program like that of InfoSight’s Cyber     taught and to ensure they have a basic
Security Awareness Program - and not       understanding of information security. Testing
just throw together a few PowerPoint       can be performed in a number of ways.
slides to check training off the “to-do”
list - it will better prepare students to  Pre-Testing and Post-Testing
help secure corporate systems as well
as demonstrate to stakeholders and         According to an EMA survey, 62 percent consider the
examiners that your organization is        completion of training in itself a measurement of
serious about awareness training.          training and 55 percent measure its effectiveness by
                                           conducting testing upon completion. InfoSight’s
InfoSight also provides a spreadsheet to   method of measuring training far exceeds traditional
assist you in measuring the effectiveness  standards. We encourage our customers to survey or
of your program. The spreadsheet           test students before implementing the program to
contains a timeline of activities to help  determine their baseline of knowledge regarding
you measure the program’s impact on        information security, including the concepts of
your workforce . It can be used to         confidentiality, integrity and availability of sensitive
measure your program’s value,              data. Students are surveyed again upon completion of
including contributions made toward        the first 12 months of the program to gauge their
reducing costs and risks.                  resilience towards spear phishing, malware, and drive-
                                           by attacks and thus gauge the effectiveness of the
                                           Cyber Security Awareness Program. Pre-and-post
                                           testing can be accomplished using InfoSight’s pre-and-
                                           post-program tests/surveys/questionnaires.

                                           Social Engineering Testing

                                           Additionally, InfoSight recommends performing social
                                           engineering testing on students throughout the
                                           program. In the social engineering assessments, certain
                                           students are pre-selected. Simulated phishing attacks
                                           are sent via email and phone calls are placed in an
                                           attempt to manipulate the student into divulging
                                           information that can be used to gain access to more
                                           information or assets. InfoSight reports the findings of the
                                           social engineering assessments to the customer.

8 Cyber Security Awareness Program™, InfoSight Inc.  8
   3   4   5   6   7   8   9   10