Making Security Awareness Measurable: The Employee Security Index (ESI®)
Security is an abstract term. IT-Seal has developed a benchmark for security against cyber attacks that creates transparency: The Employee Security Index compares a test group with a system that is considered “secure” according to the current state of research. This provides an insight into the security culture, a standardised possibility of comparison and a basis for decisions on further measures.
Security is a quantity that is difficult to measure.
What are we secure against, under what conditions, and to what degree? How well does the workforce master digital self-defense as a “human firewall”? IT security managers in particular face major challenges here, both in protecting the company against cyber attacks and in making investment decisions. The return on investment can usually only be determined very imprecisely, which makes it difficult to justify budget demands.
Benchmark based on academic research.
For the area of social engineering and phishing awareness, IT-Seal has developed a benchmark based on academic research and applied for a patent. This determines what state is considered “secure.” A company can now be concretely evaluated based on the behavior its workforce exhibits in the face of targeted attacks. The response to social engineering attacks is measured and the results are then compared with the company defined as “safe”. This concept creates transparency and comparability.
The Employee Security Index (ESI®) makes security measurable.
As part of our social engineering simulations, we have packaged this concept into a key figure, the Employee Security Index (ESI®). This provides a quick and easy-to-understand measure of employee security within the company. Based on the current state of research and our experience with phishing simulations in companies from a wide range of industries, we have derived tolerance values for the behavior of employees in the face of social engineering attacks. The tolerance value in each case depends on the preparation time an attacker has to spend for the corresponding attack.
At the interface between absolute security and feasibility, a company defined as “secure” achieves an ESI® of 90 on a scale of 0-100. After defining an individual Target-ESI®, our customer company can, on the one hand, continuously check the target value. On the other hand, the ESI® can also be determined for subgroups. Who is safer, sales or HR, and how does management compare to accounting? This information is valuable when it comes to further targeted measures such as training.
IT security awareness: complexity in a number.
Phishing can range from easily identifiable mass emails to tailored spear phishing. Therefore, the concrete calculation of ESI® is not done by simply measuring and comparing click rates. In our Awareness Academy, we simulate attack scenarios of different difficulty levels. The resulting click rates are evaluated differently to reflect the prevailing security standard as accurately as possible. Time progression, group results, objectives and recommended actions can all be displayed by the ESI® – via the API also directly in the SOC (Security Operations Center) of our customers. This makes the complex issue of human security awareness measurable on a scale of 1 to 100. And communicable: Both the management and the employees are happy about a jointly achieved value of 87.