ABSTRACT
Monitoring any security awareness initiative should use metrics that reflect behaviours. A metric is normally a specific measure of the performance of a process. Metrics tend to be tactical and occur in the lower, operational areas of an organization. Some indicators that become fundamental to the measuring process may be termed 'key', as in key security indicator (KSI) or key performance indicator (KPI). Indicators are more prevalent higher up an organization, and are often a combination of a number of separate metrics. The use of postal surveys is well understood and is the core of much organizational remote marketing. There are further generic guides that can make one's metrics more effective. These include: clarity, decision enablement, emotion, interest, and relevance. A metric should support or initiate management decisions. The metrics need to be checked for reasonableness as the initiative progresses, and there should be an annual analysis to ensure the measurement initiative remains appropriate and targeted.
