Security Metrics and Tracking Mechanism for SAP Training Report

Verified

Added on 2022/08/15

AI Summary

This report delves into the realm of security metrics and awareness training programs, crucial for mitigating employee-related security risks. It outlines the necessity of Security Awareness Program (SAP) training, emphasizing its role in driving behavioral changes to protect sensitive data. The report details the training frequency, target audience, and content, including policy awareness, handling malicious software, and physical device security. It highlights evaluation mechanisms such as surveys, face-to-face meetings, and independent observations. Furthermore, it introduces two key security awareness metrics: the computer logged-on metric and the target-related metric, along with their deployment methods. The report underscores the importance of integrating security metrics with business goals and emphasizes the benefits of a well-structured security program in terms of regulatory compliance, risk identification, and overall organizational and financial advantages. The report also provides references to relevant research and publications.

Running head: SECURITY METRICS
Unit 7: Security Metrics or Monitoring
Name of the Student:
Name of the University:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1SECURITY METRICS
Tracking mechanism of Security Awareness Program (SAP)
The employees are at security risks, therefore security awareness training is required
for the employees to experience skills in SAP implementation. Training of the employees are
required for all persons involved in implementation work for understanding the security
threats to reduce organizational risks. The purpose of this training is to drive behavioural
changes among the employees so that sensitive data are protected (Swanson & Guttman,
1996). The frequency of training is on regular basis as well as duration of training program is
1 month. The training will help to educate employees on the information security as well as
awareness of privacy at best practices. It ensures that the employees are acting in secured way
to access and monitor status of SAP (Whitman & Mattord, 2012). The target people for the
SAP training are end users, security officer, project manager and business analyst. The
content of training is based on roles as well as culture of the organization.
There are three times it is required to offer training to the employees. First one is
when they are joining the team, after occurrence of incidents as well as regular interval
throughout entire year. The security awareness vendors are provided with materials like
computer based training, newsletters as well as posters (Peltier, 2016). Due to the training,
there is an increase in cyber security awareness. Each of the organization should focus on
time, culture as well as resources to select materials for the training program. It is required to
set an ongoing training program to set up with contents covered the security threats (Bada,
Sasse, & Nurse, 2019). Security training is ongoing process to modify as well as amend
changes within the business organization. The contents which are required to be there in the
security awareness training program are:
 Policy on security awareness
 Impact of unauthorized access to sensitive data

2SECURITY METRICS
 Awareness of the security requirements (Alshaikh et al., 2018).
 Avoiding usage of malicious software
 Physical and mobile device security (Yunos et al., 2016).
Evaluate and feedback mechanism
Evaluation as well as effectiveness of SAP training program is determined based on
implementation of feedback strategy.
Survey
In order to take feedback on training program, questionnaire survey is conducted on
the technical as well as security policy challenges to measure effectiveness of program. Issues
covered in the survey should be selected based on security topics addressed throughout the
year (He & Zhang, 2019). Questions should be asked on how training would affect their daily
life and how it is helpful to gain knowledge on security.
Face-to-face meeting
It is an opportunity for the team to take feedback from the employees by directly
communicate with them face-to-face. There should be single questions for each employee
and the content should be related to various roles in the organization (Ghazvini & Shukur,
2017). Therefore, issues identified in specific role is addressed through this feedback
mechanism.
Independent observations
It is conducted on security behaviour of the employees and carried out by the team
assigned to the task. It is mainly performed outside the working hours, therefore it is not
noticed by others. The security awareness team produces status report on daily basis to
evaluate behaviour of the group of employees (Schroeder, 2017). Metrics is also used to

3SECURITY METRICS
consider usage of qualitative procedure. The observers are deployed electronic means to
evaluate their security behaviour.
Audit department report
Through this report, it is used to control if the security awareness incidents are known
by audits are decreasing. The report provides with acceptable metric to measure effectiveness
of the program. Through the report, it provides important information concerning areas that
the team requires to be attentive on (Whitman & Mattord, 2012). It is used to assess strategy
for group of people to aware them about security topics.
Security awareness metrics
The security awareness metric is used for facilitating decision making as well as
improve over the performance of the business through taking measures to secure computer
data and information. Following are the two security awareness metrics employed for
tracking progress of SAP:
Computer logged on metric
This metric helps to keep track of how many people are leaving the computer logged
in when they are away from their desk. It is a way to lessen time for investigating the bugs. It
is important to deal with the information in the security training program. Using this security
metric, it enables logon auditing to track which users are accounting log in as well as what
time (He & Zhang, 2019). It is used to track both local as well as network logins. Each of the
logon event is specified about account of the user that logged on as well as login time. It is
also useful to see when the users are logged off.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4SECURITY METRICS
Target related metric
It is the security awareness metric which consists of measurable target such as there
is no missing logs. It is mainly used to verify accurate implementation of the technical
security measurements. The target is determined as total population, fallen under scope of the
security measures. The target is set of the business units as well as measured attribute to
analyze if they are transferring access logs to the fundamental collection server. If there is
any deviation from 100%, then it can lead to trigger of the investigations (Whitman &
Mattord, 2012). The purpose of this security awareness metric is providing information
related to decisions concerned in the information security risks along with controls. The
purpose is to implement security program to aware the employees or employers on the
security risks. It is required to tie security metrics with goals of the business organization.
Deployment method
In order to deploy the security metrics in the business organization, there is required
to have a perfect software behaviour. The security metrics are provided with insights
regarding program of the information security. There is a level of regulatory compliances as
well as staff’s ability to address security related issues (Schroeder, 2017). The metrics are
used considered to be helpful for identifying risks as well as prioritizing the future resource
investments. By means of the information security programs, it is better to be prepared for
answering hard questions. The security metrics program is providing with organizational as
well as financial benefits to the business. The organization can make improvement over
accountability of the security by means of deploying the IT security metrics. Data collection
process as well as reports are enabled management for pinpointing the technical as well as
management control (Sas et al., 2019). The security program contains various policies as well
as detailed processes for integrating policies along with procedures for regular operations.

5SECURITY METRICS
The security program is being deployed on various tracking mechanisms for
documenting along with quantifying different aspects of the system performance. Availability
of data lead to decrease in difficulty of security measurements along with capability to
automate increase in data collection. Automation of data collection is based on availability of
data from the automated sources versus accessibility of data from other people (Peltier,
2016). The aim of security program deployment is ensured business continuity as well as
lessened business damages by minimizing of impact of the security incidents. Security
models are required to make improvement over relevance of the security metrics towards
deployed systems. The main aim of security metrics is ensuring of quality of system
assurance (Yunos, Ab Hamid, & Ahmad, 2016). Detection of risks can lead to vulnerabilities
as it can encompass early phases of software development from previous planning activities
throughout deployment. It can leverage to recognize opportunities for making improvements
in the development work.

6SECURITY METRICS
References
Alshaikh, M., Maynard, S. B., Ahmad, A., & Chang, S. (2018). An exploratory study of
current information security training and awareness practices in organizations.
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do
they fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Ghazvini, A., & Shukur, Z. (2017, November). Review of information security guidelines for
awareness training program in healthcare industry. In 2017 6th International
Conference on Electrical Engineering and Informatics (ICEEI) (pp. 1-6). IEEE.
He, W., & Zhang, Z. (2019). Enterprise cybersecurity training and awareness programs:
Recommendations for success. Journal of Organizational Computing and Electronic
Commerce, 29(4), 249-257.
Peltier, T. R. (2016). Security awareness program. In Information Security Policies,
Procedures, and Standards (pp. 163-174). Auerbach Publications.
Sas, M., Reniers, G., Hardyns, W., & Ponnet, K. (2019). The impact of training sessions on
security awareness: measuring the security knowledge, attitude and behaviour of
employees. Chemical Engineering Transactions, 77, 895-900.
Schroeder, J. (2017). Advanced Persistent Training: Take Your Security Awareness Program
to the Next Level. Apress.
Swanson, M. & Guttman, B. (1996). Generally accepted principles and practices for securing
information technology systems.
Whitman, M., & Mattord, H. (2012). High-assurance computing: Topics & case studies.
Boston, MA: Course Technology/Cengage Learning.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7SECURITY METRICS
Yunos, Z., Ab Hamid, R. S., & Ahmad, M. (2016, July). Development of a cyber security
awareness strategy using focus group discussion. In 2016 SAI Computing Conference
(SAI) (pp. 1063-1067). IEEE.