In March 2021, a single employee at a water treatment plant in Oldsmar, Florida clicked through a remote access session that could have poisoned a city's water supply. The attacker gained entry through a shared TeamViewer password — no phishing email required. The incident raised a question that boardrooms across the country still struggle to answer: would better security awareness training have prevented this? And more importantly, how would you even know?
If you're asking how to measure security awareness training, you're already ahead of most organizations. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element — credential theft, social engineering, misuse, or simple error. Training exists to shrink that number. But too many programs run on autopilot: annual slideshow, checkbox signed, move on. That's not a program. That's theater.
I've spent years building and evaluating training programs, and I'll tell you this: measurement isn't optional. It's the entire point. Here's how to do it with metrics that actually mean something.
Why Most Organizations Get Measurement Wrong
The most common mistake I see is treating completion rates as success metrics. "95% of employees completed training" tells you almost nothing. It tells you people clicked through slides. It doesn't tell you whether a single person would recognize a credential theft attempt in their inbox tomorrow morning.
Completion is an input metric. What you need are outcome metrics — measurable changes in behavior that reduce your organization's risk surface. The difference matters enormously when a threat actor targets your accounts payable department with a spoofed invoice.
The second mistake is measuring too infrequently. An annual training snapshot captures a moment in time. Threat landscapes shift monthly. Your measurement framework needs to keep pace.
The 7 KPIs That Actually Answer How to Measure Security Awareness Training
Here's the framework I recommend. These seven metrics, tracked consistently, give you a reliable picture of whether your program is working or wasting budget.
1. Phishing Simulation Click Rates
This is the single most actionable metric in security awareness. Run regular phishing simulations — monthly or bimonthly — and track the percentage of employees who click malicious links, open attachments, or enter credentials on fake landing pages.
Industry benchmarks from the 2021 Verizon DBIR suggest that phishing accounts for 36% of breaches, up from 25% in 2020. Your click rate trend over time tells you whether your workforce is getting harder or easier to fool. A mature program should push click rates below 5% within 12 months.
Don't just track the aggregate number. Break it down by department, role, and seniority. In my experience, finance and executive teams are the highest-value targets and often the highest clickers. Organizations running phishing awareness training for their teams can segment these campaigns to target the groups that need the most help.
2. Reporting Rates (The Metric People Forget)
Click rate tells you who failed. Reporting rate tells you who actively defended the organization. When an employee receives a suspicious email and reports it through your designated channel — phish button, IT helpdesk, security team alias — that's a measurable defensive action.
Track the ratio of reports to simulations sent. A rising reporting rate is one of the strongest indicators that security culture is taking root. Aim for a reporting rate that exceeds your click rate. When more people report than click, you've built a human firewall.
3. Time to Report
Speed matters. If an employee reports a real phishing attempt 45 minutes after it lands, your incident response team has a window to pull the email from other inboxes before more people click. If it takes 8 hours, the damage is already done.
Track the median time between simulated phish delivery and employee report. Watch for this number to shrink quarter over quarter.
4. Repeat Offender Rate
Some employees will click every simulation you send. Identifying these repeat offenders isn't about shaming them — it's about targeted intervention. Track the percentage of employees who fail two or more simulations within a rolling 12-month window.
This metric helps you allocate training resources efficiently. Repeat offenders may need one-on-one coaching, different training modalities, or adjusted access privileges. In a zero trust architecture, this data can inform access control decisions directly.
5. Real Incident Volume Tied to Human Error
Pull data from your incident response logs. How many security incidents in the past quarter were caused by or involved employee behavior? This includes clicking real phishing links, falling for social engineering phone calls, misconfiguring cloud storage, or sharing credentials.
This is your ground truth metric. Simulations measure what might happen. Incident data measures what did happen. A declining trend in human-error incidents is the strongest possible evidence that your security awareness program works.
6. Knowledge Assessment Scores
Periodic quizzes and assessments — not the ones embedded in training modules, but standalone evaluations — measure knowledge retention. Test employees on topics like recognizing social engineering tactics, understanding multi-factor authentication, identifying ransomware delivery methods, and following data handling procedures.
Administer these quarterly. Track average scores and distribution. If 30% of your workforce can't identify a pretexting attack three months after training, your training content has a retention problem.
7. Policy Compliance Rates
Awareness should translate to compliance. Measure adherence to specific security policies: MFA adoption rates, password manager usage, clean desk compliance, USB policy violations, and shadow IT incidents. These are behavioral proxies that connect training to operational security.
If your organization rolled out multi-factor authentication and adoption stalls at 70%, your awareness program isn't landing. The metric tells you exactly where to focus.
What Is the Best Way to Measure Security Awareness Training Effectiveness?
The best way to measure security awareness training effectiveness is to combine leading indicators (phishing simulation click rates, knowledge scores, reporting rates) with lagging indicators (real incident volume, policy compliance, data breach costs). No single metric tells the full story. A dashboard that tracks all seven KPIs listed above — reviewed monthly by security leadership and quarterly by executive management — provides the clearest picture of program ROI and risk reduction.
Building a Measurement Cadence That Works
Here's the schedule I've seen work best in organizations of 200 to 5,000 employees:
- Monthly: Phishing simulations with immediate feedback. Track click rate, report rate, and time to report.
- Quarterly: Knowledge assessments. Review repeat offender lists. Pull incident data. Brief leadership.
- Biannually: Deep-dive analysis. Compare metrics to the previous period. Adjust training content based on gaps. Align with emerging threats.
- Annually: Full program review. Benchmark against industry data like the Verizon DBIR. Set targets for the next 12 months. Report to the board.
This cadence creates a feedback loop. You identify weaknesses, adjust training, and verify improvement. Without the loop, you're flying blind.
Connecting Metrics to Real-World Threat Reduction
In October 2021, the FBI's Internet Crime Complaint Center (IC3) reported that business email compromise (BEC) attacks accounted for $2.4 billion in adjusted losses in 2021 — the costliest category of cybercrime they track. BEC attacks are almost entirely social engineering. No malware. No zero-days. Just a convincing email and a human who doesn't question it.
When you measure your phishing simulation data against real BEC attempts that hit your organization, you start quantifying how much money your awareness program saves. If your finance team's click rate dropped from 22% to 3% over six months, and you blocked two real BEC attempts during that window because employees reported them — that's measurable, concrete ROI.
CISA's guidance on cybersecurity best practices explicitly recommends ongoing employee training as a foundational defense. Measurement is what turns that recommendation from a checkbox into a capability.
Tools and Frameworks for Tracking These Metrics
You don't need a six-figure platform to start measuring. Here's a practical approach:
Start With Phishing Simulations
Phishing simulations are the fastest path to actionable data. They generate click rates, reporting rates, and repeat offender data in a single exercise. If your organization hasn't started running simulations yet, our phishing awareness training program is designed to get you operational quickly with realistic scenarios tailored to common threat actor techniques.
Use the NIST Cybersecurity Framework for Structure
NIST's framework maps naturally to awareness metrics. The "Protect" function includes awareness and training (PR.AT). The "Detect" function maps to employee reporting. The "Respond" function connects to incident metrics. Using NIST CSF as your organizing principle gives your measurement program a language that auditors and executives already understand.
Build a Simple Dashboard
A spreadsheet works for organizations under 500 people. Track each of the seven KPIs monthly. Use conditional formatting to highlight trends. Green for improving. Red for deteriorating. The visual forces action.
For larger organizations, integrate simulation data, helpdesk ticket data, and incident response data into a BI tool. The point isn't complexity — it's visibility.
The Metrics That Convince Your Board
Security leaders often ask me how to get executive buy-in for awareness programs. The answer is always the same: show them numbers they care about.
Boards don't care about click rates. They care about risk reduction and cost avoidance. Translate your metrics:
- "Our phishing click rate dropped from 18% to 4%" becomes "We reduced the probability of a successful phishing-based breach by 78%."
- "Employee reporting rate increased 340%" becomes "Our mean time to detect social engineering attacks dropped from 8 hours to 22 minutes."
- "Repeat offender rate fell to 2%" becomes "98% of our workforce now consistently demonstrates secure email behavior."
IBM's 2021 Cost of a Data Breach Report pegged the average breach cost at $4.24 million. Organizations with mature security awareness programs and incident response testing saw costs $2.46 million lower than those without. That's the number that moves budgets.
Where to Start If You're Measuring Nothing Today
If your organization currently has no measurement framework — and based on what I see in the field, roughly half of mid-market organizations don't — here's your 90-day plan:
Month 1: Establish a baseline. Send your first phishing simulation to all employees. Record click rate, report rate, and time to report. Administer a 15-question knowledge assessment covering phishing, ransomware, social engineering, password hygiene, and data handling.
Month 2: Deliver targeted training based on baseline gaps. If credential theft scenarios had a 25% click rate but malware attachment scenarios only had 8%, focus your content on credential theft. Enroll your team in cybersecurity awareness training that covers the full spectrum of current threats.
Month 3: Run a second simulation and assessment. Compare results to Month 1. You now have a trend — and a trend is the beginning of a program.
Ninety days. That's all it takes to move from guessing to measuring.
Measurement Is the Program
I've audited awareness programs at organizations that spent six figures on slick video content and had nothing to show for it. I've also seen lean programs — basic simulations, targeted training, consistent measurement — cut real incident rates in half within a year.
The difference was never the content. It was always the measurement. When you know how to measure security awareness training, you know exactly where your organization is vulnerable, exactly where to invest, and exactly whether that investment is paying off.
Every data breach that starts with a human decision is a measurement failure. The data was available. Someone just wasn't tracking it.
Start tracking it today.