One of the best ways I know of to justify investment in security is to find some real live data. When you are able to take measurements that give an indication of whether or not your staff are observing good security practices, you have some solid basis for taking action.

Measurement involves first deciding which metrics can provide valuable information, and then finding a way to collect these metrics. Often, there are metrics available from places such as the IT Helpdesk that can be analyzed. This is a source you should not overlook.

Another way to justify investing in security awareness training is to look for metrics that reflect risky human actions. This is what the Honey Stick Project does. It uses a single type of event - the insertion of a USB memory stick into a computer and opening of a file on the device - as an indication of a risky human action.

This action is risky because these types of devices - just like malicious email messages - can have dangerous programs, files and links on them. However, the Honey Stick Project uses only passive HTML files that can give an indication of when they are opened.

Public measurements done by The Honey Stick Project show that over 40% of all the devices deployed in publicly accessible areas get inserted and have files opened. So, unless you have already put a security awareness program in place, there's a good chance that running the same test in your work environment would produce a similarly alarming result.

This should not scare you from taking the first step of trying to measure this indicator. The sooner you know about potentially risky behavior, the sooner you can take corrective action - and possibly avoid a significant breach of sensitive information.

If you are interested in trying a Honey Stick Security Awareness Measurement in your organization, click HERE to let me know. I have a free introductory program that is easy to administer, and will provide you with some simple data to help you decide if you need to take serious action.