A population of information system users may be assumed to have acquired a certain degree of understanding around information security. Their awareness will stretch to knowing how to identify phishing, recognize malicious links, be streetwise in navigating around the internet. But, how can one quantify such understanding?

This matter becomes relevant when information security awareness programs are launched and the questions about return on investment are tabled. Is it possible to measure the information security awareness across a population? 

Solution pointers and/or advice to any of these question are welcome.  Thank you.

More Pieter van de Griend's questions See All
Similar questions and discussions