MedISA
Medical Centre Employee Centered Information Security Awareness
Key Performance Indicators for Measuring Objective Information Security Awareness
These metrics make human behavior and the knowledge level of staff members quantifiable. They make it possible to systematically evaluate the effectiveness of training, awareness campaigns, or internal policies and to continuously improve them based on that data. The collection and interpretation of such KPIs should take place within the framework of appropriate observational designs in order to produce meaningful and reliable results. The KPIs considered in the project do not represent a complete list, but rather offer exemplary reference points for data-driven evaluation of security-relevant measures.
| KPI | Explanation | Level |
|---|---|---|
| Password complexity (length) | Strength of passwords chosen for access protection | Per user |
| Password change interval | Frequency of password changes to avoid long-term compromise | Per user |
| Number of reported security incidents | Number of registered security incidents | Entire clinic or organizational units |
| IT security training rate in the clinic | Proportion of employees who have received training | Per user |
| Security incidents involving human error | Incidents in which human failure played a role | Per user |
| Awareness of reporting procedure | Employee awareness of the process for reporting incidents | Per user |
| Click rates in phishing campaigns | Proportion of clicks on simulated phishing emails | Per user |
| Clean desk | Implementation of tidy workspaces for data protection | Per user |
| Rate of accounts locked due to incorrect password entry | User accounts locked due to repeated incorrect login attempts | Per user |
| Number of security incidents | Absolute number of security-related incidents | Entire clinic or organizational units |