1. Executive Summary
1. Executive Summary This report summarizes the findings of the information security awareness and behavior survey conducted at ACME Inc. in 3 of their global locations during October, 2010.
Assessment criterion The survey measured 14 security practices (referred to as ESP – Expected Security Practices) that must be followed by the ACME Inc. workforce. This list is provided as an attachment to this report.
Average information security awareness score The average information security awareness score of ACME Inc. is 83% or HIGH. 83%
LOW AWARENESS
MEDIUM AWARENESS
ACME Inc.’s score is here…
HIGH AWARENESS
100% 66% 33% % This score is calculated after measuring awareness across 14 ESP’s (expected security practices). The awareness assessment focused on how a UST Associate would protect business information in a realistic scenario. Hence, the assessment did not focus on awareness of a particular standard or rule.
Average information security behavior score 1) The average information security awareness score of ACME Inc. is MEDIUM. Information security behavior assessment was done for 7 out of 14 ESP’s ACME Inc.’s score is here…
66% LOW RISK BEHAVIOR
MEDIUM RISK BEHAVIOR
HIGH RISK BEHAVIOR
Please note that the behavior rating is inverse to awareness rating. A high score in the behavior rating indicates high risk behavior. A rating of “66%” was provided after calculating the average behavior violation using the following formula.
Behavior Score per ESP 10 9
9
9
9 8 7 6 6 5 ESP Score
4 3
3
3 2 2 1 0 Clear Policies
Email Security
Info Disclosure
Password Security
Physical Security
Incident Social Reporting Networking/ Blogging
ACME Inc. InfoSec Behavior Score 10 9
High risk behavior, 9
8 7
You are here Medium risk behavior, 6
6 5
Behavioral Score
4 3 2 1
Low risk behavior, 1
0 High risk behavior
Medium risk behavior
Low risk behavior
The rating of behavior violations in the previous table is based on the fact that it is not possible to directly compare “awareness” and “behavior”. Hence, the following strategy was used.
For each ESP, it was checked whether the behavior violation was significant either in terms of,
Number of information security violations, or
The impact of the violations, (financial, legal, reputational) in case of the information security violation due to poor behavior.
The above strategy was used because it may be possible that for a particular ESP, the number of instances of a violation may be low, but the value of information or repercussions of even a single violation could be high. The rating of violation for each individual ESP is provided in the table below.
Assessment criterion The survey measured 14 security practices (referred to as ESP – Expected Security Practices) that must be followed by the ACME Inc. workforce. This list is provided as an attachment to this report.
Average information security awareness score The average information security awareness score of ACME Inc. is 83% or HIGH. 83%
LOW AWARENESS
MEDIUM AWARENESS
ACME Inc.’s score is here…
HIGH AWARENESS
100% 66% 33% % This score is calculated after measuring awareness across 14 ESP’s (expected security practices). The awareness assessment focused on how a UST Associate would protect business information in a realistic scenario. Hence, the assessment did not focus on awareness of a particular standard or rule.
Average information security behavior score 1) The average information security awareness score of ACME Inc. is MEDIUM. Information security behavior assessment was done for 7 out of 14 ESP’s ACME Inc.’s score is here…
66% LOW RISK BEHAVIOR
MEDIUM RISK BEHAVIOR
HIGH RISK BEHAVIOR
Please note that the behavior rating is inverse to awareness rating. A high score in the behavior rating indicates high risk behavior. A rating of “66%” was provided after calculating the average behavior violation using the following formula.
Behavior Score per ESP 10 9
9
9
9 8 7 6 6 5 ESP Score
4 3
3
3 2 2 1 0 Clear Policies
Email Security
Info Disclosure
Password Security
Physical Security
Incident Social Reporting Networking/ Blogging
ACME Inc. InfoSec Behavior Score 10 9
High risk behavior, 9
8 7
You are here Medium risk behavior, 6
6 5
Behavioral Score
4 3 2 1
Low risk behavior, 1
0 High risk behavior
Medium risk behavior
Low risk behavior
The rating of behavior violations in the previous table is based on the fact that it is not possible to directly compare “awareness” and “behavior”. Hence, the following strategy was used.
For each ESP, it was checked whether the behavior violation was significant either in terms of,
Number of information security violations, or
The impact of the violations, (financial, legal, reputational) in case of the information security violation due to poor behavior.
The above strategy was used because it may be possible that for a particular ESP, the number of instances of a violation may be low, but the value of information or repercussions of even a single violation could be high. The rating of violation for each individual ESP is provided in the table below.
