top of page
Search

How to Measure the Success of Your Security Awareness Programme (Without Falling for Vanity Metrics)


Measuring the success of a security awareness programme often feels like trying to measure “good vibes.” Everyone knows it’s important, but no one agrees on how to quantify it.


The result? Teams default to metrics that sound nice but don’t tell you if your program is working. Yes, 98% of employees completed the training module, but did anyone actually learn something? Will they apply it in real life? Or did they just click through the slides while scrolling Instagram?

If you want to know if your SAT programme is delivering results, you need to dig deeper. Let’s break it down.



The Vanity Metrics That Waste Everyone’s Time


Before we get into what you should measure, let’s talk about what you shouldn’t:


  1. Completion rates. Great, 100% of your employees finished the training. But what does that actually mean? It doesn’t tell you if they understood it, remembered it or applied it.

  2. Email open rates. Sure, it’s nice to know people are opening your training emails, but it doesn’t mean they’re engaging with the content.

  3. Participation stats. Attendance isn’t the same as engagement. Showing up doesn’t mean showing interest.


If you’re stuck focusing on these metrics, you’re measuring activity, not impact. Let’s fix that.


5 Metrics That Actually Matter


Here are the metrics that tell you if your programme is making a real difference — and how to track them effectively.


1. Reduction in Phishing Click Rates


Phishing is still the number one way hackers get in, so tracking click rates on phishing simulations is a great indicator of program success.


How to Measure It:

  • Run regular phishing simulations and compare click rates over time.

  • Break it down by team or department to see where additional training is needed.

  • Celebrate progress publicly — “Marketing Team reduced their click rate by 20% this quarter!”


2. Increase in Report Rates


It’s not just about avoiding the bait; it’s about recognising it and reporting it. More employees flagging phishing simulations is a strong sign that your training is working.


How to Measure It:

  • Track the number of simulation reports vs. successful clicks.

  • Use a leaderboard or gamification to encourage employees to report phishing attempts.


3. Overall Reporting Increase


Beyond phishing simulations, you want to see employees escalating real-world threats — suspicious emails, dodgy messages, or strange activity on their accounts.


How to Measure It:

  • Monitor your IT team’s ticket system for reports of suspicious activity.

  • Keep a log of both false alarms (which are still good!) and legitimate incidents.



4. Time-to-Report Incidents


Speed matters in cybersecurity. The faster employees report threats, the faster your team can respond and mitigate potential damage.


How to Measure It:

  • Log how long it takes employees to report phishing simulations or suspicious activity.

  • Compare this over time to see if training is improving response times.


5. Observed Behavioural Changes


Metrics are great, but they’re not the whole story. Sometimes, success is seen in small, everyday actions.


What to Look For:

  • Employees double-check URLs before clicking.

  • Teams discussing security topics in meetings.

  • An increase in questions or conversations about cybersecurity.



Pro Tips for Tracking and Improving Metrics


Now that you know what to measure, here’s how to make it stick:


  1. Keep It Transparent

    Share your metrics with the whole team. Let employees know how they’re doing and where there’s room for improvement. Transparency creates accountability.


  1. Recognise Positive Behaviour

    Celebrate employees who report threats or demonstrate good security practices. A simple “thank you” or a small reward can reinforce the right habits.


  1. Adjust Based on Feedback

    If metrics are stagnant, dig deeper. Are employees confused about what to report? Is the training too generic? Use feedback to refine your approach.


  2. Focus on Long-Term Trends


    One phishing simulation isn’t enough to measure success. Look for patterns over time to see how your program evolves.



Why These Metrics Matter


A security awareness program isn’t just about compliance. It’s about creating a culture where employees actively defend your organisation. Measuring the right metrics helps you see if you’re achieving that goal—or if you’re just ticking boxes.

The ultimate test of success? Employees who don’t just know better—they do better.

At Goldphish, we specialise in turning awareness into action. If you’re ready to stop chasing vanity metrics and start building a program that works, let’s chat. 🤙

 
 
 
bottom of page