Subcontrol 17.1

[adammontville]

Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.

Measures

None provided

Metrics

None provided

[wmunyan]

Inputs:

• An exam, set of exams, and/or exercises intended to assess a baseline set of workforce members' security awareness skills

Operations:

• For each employee, administer the exams/exercises to assess security awareness skills.

Measures:

• M1 = For each employee, the baseline scores from the various security awareness exercises
• M2 = For each employee, the total number of security awareness exercises assessed

Metrics:

• For each security awareness exercise, average all employee's scores to establish a priority list of security awareness training, based on lowest average score per exercise. For example, if 80% of employees failed a phishing exercise, then training on how to detect and act on phishing attempts would be a higher priority. TBD - I'm not sure how to put that above statement into a "metric".

[apiperCIS]

It might be worth providing a "Minimum acceptable score" as an input, adding an Operation to average the individual employee scores for each exercise/exam to generate an organizational average for each exercise/exam, and then comparing each exercise/exam average to the minimum acceptable score to generate a list of gap topics. Then, this list of skills gap topics can be an input to 17.2. Proposal based on this possible approach is provided below, where M2 would be an input for 17.2. Thoughts?

[apiperCIS]

Inputs 1) Security awareness skill topic areas to be assessed 2) Set of exams/exercises mapped to the topics in Input 1 3) Minimum acceptable score

Operations 1) For each workforce member, administer the exams/exercises from Input 2 2) Score each of the exams/exercises 3) For each security awareness skill topic area in Input 1, average the results of the exams/exercises mapped to that topic area to generate an organizational average for that topic area. Generate a list of topic areas and the organizational averages that are greater than or equal to the minimum acceptable score provided as Input 3 (M1), and a list of topic areas and organizational averages that are below the minimum acceptable score (M2).

Measures M1: List of security awareness topic areas with averages in the acceptable range (compliant list) M2: List of security awareness topic areas with averages below the acceptable range (non-compliant list) M3: Count of security awareness topic areas with averages in the acceptable range (count of M1) M4: Total count of security awareness topic areas assessed (count of Input 1)

Metrics Ratio of security awareness topic areas with organizational averages in the acceptable range: M3 / M4

[wmunyan]

Good to me - Ship it.