Measuring An Information Security Awareness Program

Research shows security awareness lacks a uniform definition. This paper explores the various attempts that have been made to define security awareness and then presents a clear and concise definition of security awareness. Due to the lack of a behaviorally-oriented measurement, security awareness has relied on the use of self-reported questionnaires and surveying users through this same type of instrument. These attempts assume that knowledge of security awareness leads to correspondingly correct behavior, without attempting any field validation that this paradigm holds true. This paper goes beyond self-reporting and measures the behavior of end-users. It compares that behavior with policy to determine the actual compliance percentage and draws conclusions from these results.