Moving from benchmarking to baselining.
By Eh’den Biber
Trying to figure out the level of awareness to information security within an organisation is a taunting task. Throughout the years I’ve seen multiple attempts to deliver effective metrics and frankly – most of them sucked, big time, including the ones I came up with. Retrospectively I can humbly say – especially the ones I’ve chosen.
The difficulty arises from the simple fact that most of the information security professionals who are assigned to deliver such task have no clue what awareness is. We (humans) think we know what awareness is, but since our experience is subjective we don’t have a clue what it actually means. Awareness, or the nature of consciousness which is aware of itself is beyond the scope of this article. I’ve written a series of articles about it (the desolation of awareness) and I invite you to read them, rather than repeat segments of it.