Subcontrol 17.6

[adammontville]

Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.

Measures

c_i_j = # of properly identified task by employee j in round i
TQ_i_j = # of toal task for employee j in round i
n = # of total employee randomly picked
m = # of round
alpha = damping factor(more recent round will have higer weight) < 1

Metrics/KEI

TP Quality = ( SUM over j: 1 to n ( (SUM over i:0 to m-1 ( (c_i_j / TQ_i_j) * alpha^i ) ) / (SUM over i:0 to m-1 (alpha^i ) ) ) ) / n

Related to each of these "training" pieces. Seems that this should inform v8.0.0 of the controls. What are the characteristics of a security awareness program? How well are employees doing year over year against those tests?

[adammontville]

Inputs

• List of workforce members
• List of most recent completion date for this module of the security awareness training for each workforce member
• Required frequency of training (at least annually)

Operations

• For each workforce member in Input 1, check Input 2 to see if that workforce member's most recent completion date of this training module was within the time frame specified by Input 3 (if the workforce member is not listed in Input 2, assume the workforce member is not compliant). Generate a list of compliant workforce members (M1) and a list of non-compliant workforce members (M2).

Measures

• M1: List of workforce members who have completed this security awareness training module within the specified time frame (compliant list)
• M2: List of workforce members who have not completed this security awareness training module within the specified time frame (non-compliant list)
• M3: Number of workforce members in the compliant list (M1)
• M4: Number of workforce members in the non-compliant list (M2)
• M5: Total number of workforce members in Input 1

Metrics

• Coverage: M3 / M5