Efficacy and Metrics of Security Awareness Training

Untrained employees can present a huge security risk for businesses of all types and sizes.

Your organization needs to have the actual data to measure the level of understanding and awareness, and, thereby, the level of risk. As security awareness training is implemented and evaluated over time, it's possible to draw a correlation between effective training and reduced security incidents.

Efficacy Stats: Key Findings

#1: Clients who use training courses have less risk / more educated users

#2: Risk is reduced with more Security Awareness Training

These trends show that after a year of ongoing training, the average click-through rate on a phishing simulation will dip below 5% which is approximately a 70% reduction.

Awareness Metrics

To measure the impact of your awareness program and effectively change behavior, we recommend you run phishing simulations monthly, or close to this level of frequency.

Phishing simulations:

Click Results measure the number of people who fall victim to a phishing simulation. This number should decrease over time as end users become more aware of how to handle these types of messages.

Phishing Reporting measures the number of people who detect and report a phishing email. This number should increase over time as behaviors change.

Phishing Repeat Offenders measures the number of individuals that represent a high risk to an organization and must be addressed with additional and more frequent testing.

Compliance Metrics

We recommend you also run training courses regularly, on a monthly, bi-monthly, or quarterly basis.

Training courses:

Training Completion measures the number of people who took the training and completed it.

Quiz Passing Rates measure the number of people who took the training and passed the quiz.