Your Training Program Is Worthless Without Proof
In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The company almost certainly had a security awareness program in place. So did Caesars Entertainment, which paid a $15 million ransom around the same time. Training existed. Measurement apparently didn't — or at least not the kind that catches gaps before a threat actor exploits them.
If you're wondering how to measure security awareness training, you're asking the right question at the right time. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, credential theft, misuse, or simple error. Training is supposed to reduce that number. But most organizations have no idea whether their program actually works.
I've spent years helping organizations build and evaluate security awareness programs. Here's the uncomfortable truth: completion rates are not a metric. A 95% course completion rate tells you nothing about whether your employees can spot a well-crafted phishing email or resist a pretexting phone call. You need real, behavioral data — and I'm going to walk you through exactly how to get it.
Why Most Organizations Measure the Wrong Things
The most common "metric" I see is training completion percentage. HR loves it. Compliance auditors accept it. And it's almost entirely meaningless from a security standpoint.
Completion tells you someone sat through a module. It doesn't tell you they absorbed anything, changed a behavior, or would react correctly under pressure. It's the cybersecurity equivalent of measuring driver safety by counting how many people renewed their license.
The second most common mistake is measuring only once a year. Annual training creates a spike of awareness that fades within weeks. The Cybersecurity and Infrastructure Security Agency (CISA) recommends ongoing, continuous training — not because they enjoy paperwork, but because threat actors don't attack on a schedule.
The Metrics That Actually Matter
If you want to know how to measure security awareness training with real confidence, you need to track behavioral indicators — not just participation indicators. Here's what I recommend to every organization I work with.
1. Phishing Simulation Click Rates
This is your single most important metric. Run regular phishing simulations that mimic real-world attacks — credential theft pages, fake invoice attachments, urgent IT requests. Track the percentage of employees who click, who submit credentials, and who report the email.
Industry benchmarks from the 2024 Verizon DBIR suggest that the median time for a user to fall for a phishing email is less than 60 seconds. Your baseline click rate before training might be 25-35%. After sustained training and simulation, mature programs typically see this drop below 5%.
Track click rates over time, segmented by department, role, and seniority. You'll find patterns — finance teams get targeted differently than engineering, and executives are notoriously resistant to admitting they need training. If you need a platform to start running these campaigns, our phishing awareness training for organizations provides realistic simulations with built-in tracking.
2. Reporting Rates
Click rate alone only tells half the story. Reporting rate — the percentage of employees who flag suspicious emails using your reporting tool — is equally critical. A low click rate combined with a low reporting rate means people are deleting threats silently. That's dangerous because it means your SOC never gets the intelligence.
A strong program targets a reporting rate above 60% for simulated phishing. Some mature organizations hit 70-80%. If your reporting rate is below 20%, your employees either don't know how to report, don't think it matters, or both.
3. Time to Report
Speed matters. If an employee spots a phishing email and reports it within two minutes, your incident response team can pull that message from every inbox before most people even open it. If they report it three days later, the damage is done.
Track the average time between phishing email delivery and first employee report. This metric improves dramatically with consistent simulation and positive reinforcement.
4. Repeat Offender Rate
Some employees will click on every simulation you send. These aren't bad people — they're high-risk individuals who need targeted intervention. Track the percentage of employees who fail two or more simulations in a rolling 12-month period.
This metric helps you allocate resources. Instead of blasting the entire company with more generic training, you can focus intensive coaching on the 5-10% who consistently fall for attacks. That's where your highest ROI lives.
5. Real Incident Metrics
Ultimately, you want to see real-world security incidents decline. Track the number of successful phishing attacks, credential compromises, malware infections from email, and business email compromise (BEC) losses over time. Correlate these with your training cadence.
This is harder to measure cleanly because many factors affect incident rates. But the trend line matters. If you've been running a serious program for 12 months and your phishing-related incidents haven't budged, something in the program needs to change.
What Is a Good Security Awareness Training Score?
This is the question I get asked most, so here's a direct answer. A "good" program hits these benchmarks after 12 months of consistent effort:
- Phishing click rate: Below 5% (industry average before training is typically 20-30%)
- Reporting rate: Above 60% on simulated phishing
- Time to first report: Under 5 minutes
- Repeat offender rate: Below 3%
- Training completion: Above 95% (necessary but not sufficient)
- Knowledge assessment scores: Above 80% average on post-training quizzes
These numbers come from aggregated data across programs I've seen succeed. Your starting point will vary based on industry, company size, and security maturity. What matters is sustained improvement quarter over quarter.
Building a Measurement Framework That Scales
Start With a Baseline
Before you launch any training initiative, run a baseline phishing simulation. Don't warn anyone. Don't tell managers. Send a realistic phishing email and measure who clicks, who reports, and who does nothing. This is your ground truth.
Pair this with a short security knowledge assessment — 10-15 questions covering phishing recognition, password hygiene, multi-factor authentication, data handling, and social engineering tactics. Now you know where your people actually stand, not where they claim to stand.
Set Quarterly Measurement Cycles
Monthly phishing simulations are ideal, but at minimum run them quarterly. Vary the difficulty — start with obvious red flags, then escalate to sophisticated spear-phishing scenarios that use real company context. The NIST Cybersecurity Framework emphasizes continuous assessment as a core function, and awareness measurement fits squarely within the "Protect" pillar.
After each cycle, review the data with department heads. Make it visible. When a VP sees that their team has a 30% click rate while the company average is 8%, behavior changes fast.
Tie Metrics to Business Outcomes
Executive leadership doesn't care about click rates in isolation. They care about risk reduction and financial impact. Translate your metrics into language they understand.
For example: "Our phishing click rate dropped from 28% to 4% over 12 months. Based on FBI IC3 data showing average BEC losses of $137,132 per incident, and our historical rate of 3 successful phishing attacks per quarter, this reduction represents an estimated risk reduction of over $400K annually."
That's how you get budget renewed. That's how you get executive support for expanding the program.
The Tools and Tactics Behind Accurate Measurement
Phishing Simulations Done Right
Not all simulations are created equal. A poorly designed phishing test — one that uses obvious typos and a Nigerian prince storyline — will give you artificially low click rates and false confidence. Your simulations need to mirror real threat actor tactics: spoofed internal domains, LinkedIn-scraped personalization, urgency triggers, and credential harvesting landing pages.
Our phishing awareness training platform generates realistic campaigns modeled after actual attacks, with full analytics dashboards that track every metric I've described above.
Knowledge Assessments vs. Behavioral Assessments
Knowledge assessments (quizzes) measure what people know. Behavioral assessments (simulations, social engineering tests) measure what people do. You need both, but if you can only pick one, pick behavioral. I've seen employees score 100% on a phishing quiz and then click a simulated phishing link the same afternoon.
Security Culture Surveys
Once a year, run an anonymous survey measuring security attitudes. Ask questions like: "If you made a security mistake, would you feel comfortable reporting it?" and "Do you believe cybersecurity is part of your job responsibility?" These qualitative metrics reveal cultural barriers that quantitative data misses.
A culture where employees hide mistakes is a culture where breaches grow silently. If your survey reveals fear of punishment, you've found a problem that no amount of training modules will fix.
From Measurement to Action: Closing the Loop
Data without action is just a dashboard. Here's how to close the loop effectively.
Segment and Target
Use your data to identify high-risk groups. Maybe it's new hires in their first 90 days. Maybe it's the C-suite (who, in my experience, are some of the worst offenders). Maybe it's a specific department that handles sensitive financial data. Tailor your training intensity and content to these groups.
Positive Reinforcement Over Punishment
Organizations that punish employees for clicking phishing simulations see reporting rates plummet. People stop reporting real threats because they're afraid of consequences. Instead, reward reporting. Recognize departments with the highest reporting rates. Make security a source of pride, not anxiety.
Continuously Update Content
Threat actors evolve constantly. Your training content must keep pace. Ransomware tactics in 2026 look different from 2023. AI-generated phishing emails are more convincing than ever. Deepfake voice attacks — like the one used in the MGM breach — require entirely new training modules. If your content is stale, your metrics will plateau.
A comprehensive cybersecurity awareness training program keeps content current with the actual threat landscape and gives you the baseline education that makes simulations more effective.
The Zero Trust Connection
Measuring security awareness training doesn't exist in a vacuum. It should feed directly into your broader zero trust architecture. Employees who repeatedly fail simulations might need additional access controls — restricted email attachment permissions, mandatory multi-factor authentication on all logins, or reduced access to sensitive systems.
Zero trust means never assuming a user is safe just because they're inside the perimeter. Your awareness metrics give you the data to apply that principle intelligently. High-risk users get tighter controls. Proven-reliable users get appropriate access. Everyone gets continuous verification.
Reporting to the Board: What They Need to See
Board reporting on security awareness should fit on one page. Include these five things:
- Phishing click rate trend — quarterly, with a 12-month trendline
- Reporting rate trend — same format
- Real incident count — phishing-related incidents per quarter
- Estimated risk reduction — in dollar terms tied to industry benchmarks
- Top risk areas — departments or roles that need attention
Skip the jargon. Skip the vendor logos. Give them the story: where you started, where you are, what's working, and what needs investment. That's how you keep security awareness training funded and taken seriously.
Stop Guessing, Start Measuring
Knowing how to measure security awareness training separates serious security programs from compliance theater. Every data breach that starts with a phishing email is a failure of human behavior — and behavior is measurable, trackable, and improvable.
Start with a baseline simulation today. Build a quarterly cadence. Track the five metrics that matter. Report in business terms. And invest in ongoing training that adapts to how threat actors actually operate in 2026.
Your employees are either your strongest defense or your biggest vulnerability. The only way to know which is to measure.