Security Awareness Survey

Description
Last Updated: March 15, 2010
 Info@honeytech.com | http://www.honeytech.com

Table  of  Contents  

1.   EXECUTIVE  SUMMARY   3  

2.   OUR  METHODOLOGY   3  

3.   AWARENESS  SURVEY   3  

License: This document is copyright Honeytech Inc. It is distributed under the Creative Commons
Attribution-Noncommercial 3.0 License. This means you are free to modify, distribute and use the
document for internal purposes. You however may not resell this document. Full details of the license can
be found at http://creativecommons.org/licenses/by-nc/3.0/.

Copyright © Honeytech Inc Security Awareness Survey

 Info@honeytech.com | http://www.honeytech.com

1. Executive Summary
Security awareness is a critical part of information security, it is the common knowledge and
behaviors of the organization to protect itself against information security risks. Humans,
just like computers, store, process and transfer information. As a result many attackers
today target the human, bypassing most security controls and using techniques such as
social engineering to get what they want. Awareness, not just technology, is becoming a
key factor in an organization’s ability to reduce risk, protect its reputation, improve
governance and in many cases be compliant. The long term benefits to your organization
with a successful awareness program include greater awareness, increased security and
improved online productivity for employees and the company as a whole.

2. Our Methodology
One of the firsts steps HoneyTech recommends for any security awareness program is to
establish a baseline, determine what is your organization’s awareness before the program
begins. This baseline then becomes a metric by which you can track the progress of the
program. For example, you can use the baseline to identify areas where the organization
needs more or less work. To help establish the baseline we recommend two methods which
are often combined, an awareness assessment and an awareness survey. An awareness
survey is used to question employees and contractors about their awareness of your
organization’s policies and best practices. Policies, processes and procedures are of little
use in your organization if no one is aware are of them or are not following the policies
correctly. An awareness assessment replicates many common attacks that are directed
against the human, such as phishing attacks, phone calls or scams. In this document we
cover awareness survey.

3. Awareness Survey
An awareness survey is used to determine the level of knowledge your employees have
concerning policies, processes and procedures. It is a series of questions usually given
online or in person. Below is a series of twenty-five questions we recommend for your
organization. We recommend this survey be given before your program starts, then be
given at standard intervals, such as once a quarter or every six months. The survey should
be given to a random selection of employees and contractors to ensure the validity of the
survey.

Copyright © Honeytech Inc Security Awareness Survey

 Info@honeytech.com | http://www.honeytech.com

1. What is your position?

a. Management
b. Technical
c. Sales
d. Other

2. What is your relation with the company.

a. Full time employee
b. Part time employee
c. Contractor
d. Partner
e. Vendor
f. Other

3. Do we have a security team?

a. Yes, we have a company security team.
b. No, we do not have a company security team.
c. I do not know.

4. Do you know who to contact in case you are hacked or if your computer is infected?
a. Yes, I know who to contact.
b. No, I do not know who to contact.

5. Have you ever found a virus or Trojan on your computer at work?

a. Yes, my computers has been infected before.
b. No, my computer has never been infected.
c. I do not know what a virus or Trojan is.

6. Do you know how to tell if your computer is hacked or infected?

a. Yes, I know what to look for to see if my computer is hacked or infected.
b. No, I do not know what to look for to see if my computer is hacked or infected.

7. Have you ever given your password from work to someone else?
a. Yes
b. No

8. If you format a hard drive or erase the files on it all the information on it is permanently lost.
a. True
b. False

9. How secure do you feel your computer is?

a. Very secure
b. Secure
c. Not secure

Copyright © Honeytech Inc Security Awareness Survey

 Info@honeytech.com | http://www.honeytech.com

10. Is the firewall on your computer enabled?

a. Yes, it is enabled.
b. No, it is not enabled.
c. I do not know what a firewall is.

11. Is your computer configured to be automatically updated?

a. Yes, it is.
b. No, it is not.
c. I do not know.

12. How careful are you when you open an attachment in email?
a. I always make sure it is from a person I know and I am expecting the email.
b. As long as I know the person or company that sent me the attachment I open it.
c. There is nothing wrong with opening attachments.

13. Do you know what a phishing attack is?

a. Yes, I do.
b. No, I do not.

14. Do you know what an email scam is and how to identify one?
a. Yes I do.
b. No, I do not.

15. Is anti-virus currently installed, updated and enabled on your computer?

a. Yes it is.
b. No it is not.
c. I do not know how to tell.
d. I do not know what anti-virus is.

16. My computer has no value to hackers, they do not target me.

a. True
b. False

17. Do we have policies on which websites you can visit?

a. No, there are no policies, I can visit whatever websites I want while at work.
b. Yes, there are policies limiting what websites I can and cannot visit while at work, but I
do not know the policies.
c. Yes, there are policies and I know and understand them.

18. Do we have policies on how what you can and cannot use email for?
a. No, there are no policies, I can send whatever emails I want to whomever I want while at
work.
b. Yes, there are policies limiting what emails I can and cannot send while at work, but I do
not know the policies.
c. Yes, there are policies and I know and understand them.

Copyright © Honeytech Inc Security Awareness Survey

 Info@honeytech.com | http://www.honeytech.com

19. Is instant messaging allowed in our organization?

a. Yes, instant messaging is allowed in our organization.
b. No, instant messaging is not allowed in our organization.
c. I do not know.

20. Can you use your own personal devices, such as your mobile phone, to store or transfer
confidential company information?
a. Yes I can.
b. No I cannot.
c. I do not know.

21. Have you downloaded and installed software on your computer at work?
a. Yes I have.
b. No I have not.

22. Has your boss or anyone else you know at work asked you for your password?
a. Yes, they have
b. No, they have not.

23. Do you use the same passwords for your work accounts as you do for your personal accounts at
home, such as Facebook, Twitter or your personal email accounts?
a. Yes I do.
b. No I do not.

24. How often do you take information from the office and use your computer at home to work on it?
a. Almost every day.
b. At least once a week.
c. At least once a month.
d. Never

25. Have you logged into work accounts using public computers, such as from a library, cyber café or
hotel lobby?
a. Yes, I have
b. No, I have not

26. If you delete a file from your computer or USB stick, that information can no longer be recovered.
a. True
b. False

Copyright © Honeytech Inc Security Awareness Survey