EMPLOYEE SECURITY INDEX (ESI®): The security awareness indicator
What is the Employee Security Index (ESI®)?
The ESI® is an IT security key indicator and makes the IT security awareness of your employees measurable. It was scientifically developed and offers a high comparability and reliability due to its standardization.
Against what, under what conditions and to what degree are you safe? This question poses great challenges when it comes to securing the company and investment decisions. IT-Seal has developed a benchmark, the 'Employee Security Index' (ESI®), for the area of social engineering and phishing awareness.
Based on the current state of research and our experience with phishing simulations in companies of various industries, we have derived tolerance levels for the behavior of employees in the face of social engineering attacks. The tolerance level depends on the preparation time that an attacker has to spend on the corresponding attack.
Our video explains the ESI® in just two minutes
How does the Employee Security Index (ESI®) work?
The ESI® makes security awareness training on a scientific foundation measurable.
Standardization as the basis for measurability
To make security awareness measurable, a realistic simulation of attacks is indispensable. Individual attacks should also be comparable with each other - only then can a measurement over a longer period of time provide information about the development of security awareness.
In order to make social engineering attacks comparable, we classify them into different categories. The decisive factor here is the preparation time that a criminal must invest in the preparation and execution of an attack scenario.
This consists, for example, of the procurement of information (OSINT), technical preparation, copying of designs (clone phishing), and the provision of the infrastructure. Thus, five categories can be divided, each of which corresponds to a preparation time of approx. 1, 4, 10, 20 and 40 hours.
Procedure for determining the ESI®
- Each member of an employee group receives several individual spear phishing emails in different levels of difficulty
- The reaction (the behaviour of security) of the employees is measured
- The behaviour regarding the different levels of difficulty is set in relation to an 'exemplary' test group, which is assigned an ESI of 90®
- At the behaviour of security with twice the error rate compared to the 'exemplary' test group, an ESI of 80 is achieved, with three times the error rate an ESI® of 70 and so on
Critical average level shows need for action
An analysis of more than 75,000 simulated e-mails provides a revealing insight into the security behavior of individual departments, as shown in the figure on the left across the company.
All test groups show critical phishing awareness, with an average Employee Security Index of 46.2. While the HR, IT and finance departments perform above average across the company, the managers, assistants and the C-level stand out at the lower end.
The ESI® om the Awareness Programm 'Lifetime'
With the help of 'Lifetime' you define a goal-ESI®, which we will achieve together with you. In addition to our phishing simulation, we also use other security awareness measures, such as short videos, face-to-face training and e-learning.
The ESI® thus represents a control instrument with which the security awareness in companies can be continuously monitored. The effectiveness of individual training measures can be checked and concrete needs can be identified. The anonymous evaluation of the results on a group basis contributes to employee protection. Communication with both management and staff is facilitated by a tangible key figure: a quantitative analysis of security awareness offers a direct comparison with other companies in similar industries and can thus be used as a basis for decisions on further investments.
Unser Whitepaper zum EMPLOYEE SECURITY INDEX
The whitepaper about our in-house developed Employee Security Index (ESI®) informs you scientifically and factually about the advantages of our benchmark.