How to Measure the Effectiveness of Security Awareness Training

While measuring the effectiveness of security awareness training can be challenging, it is a crucial aspect of determining the overall impact of training on improving users' security behaviour.

Though no single metric can provide a comprehensive view of the effectiveness of security awareness training, it is advisable to use a combination of these following ten metrics to provide a broad overview.

Start trial icon

Ready to level up your security game?

We can help you - let's have a chat.

Book a Meeting

10 Metrics for Measuring the Effectiveness of Security Awareness Training

  1. Pre-Training Assessments
  2. Participation Rates
  3. Phishing Simulation Results
  4. Quiz Scores
  5. Security Incident Metrics
  6. Employee Feedback
  7. Compliance Metrics
  8. Completion Rates
  9. ROI
  10. Continuous Evaluation

1. Pre-Training Assessments

Pre-training assessments are important for measuring the effectiveness of security awareness training. These assessments establish a baseline understanding of employees' knowledge before they receive training. When conducting pre-training assessments, choose the appropriate format (e.g., questionnaire or online quiz) and cover relevant security topics.

Analysing the pre-training assessment results helps identify knowledge gaps and areas for improvement. This analysis informs the development of a tailored training program that addresses specific weaknesses. By comparing post-training results with the initial assessment, you can measure the impact of the training and track progress over time.

2. Participation Rates

Monitoring training completion rates provides insight into the level of employee engagement and participation in the security awareness program. A higher completion rate indicates greater employee commitment to learning and suggests a positive impact on their security awareness.

By tracking participation rates, you can determine the reach and coverage of the training program across different departments or teams; helping to identify any gaps or areas where additional efforts may be required to ensure comprehensive training coverage.

High completion and participation rates demonstrate that employees are actively engaging with the training materials, which increases the likelihood of knowledge retention and behaviour change.

3. Phishing Simulation Results

By sending mock phishing emails that mimic real-world attacks, your organisation can gauge the effectiveness of security awareness training in helping employees recognise and report phishing attempts.

Tracking the click rates on simulated phishing emails before and after the training provides valuable insights. A decrease in click rates indicates improved awareness and a reduction in the number of employees falling for phishing scams. This suggests that the training is effective in educating employees about the dangers of phishing and enhancing their ability to discern legitimate emails from phishing attempts.

Additionally, monitoring the reporting rates of suspicious emails is important. A well-trained workforce should demonstrate an increased willingness to report suspicious emails to the appropriate channels, such as IT or security teams. Higher reporting rates indicate that employees are actively engaged in the training and are taking proactive measures to protect your organisation from potential cyber threats.

4. Quiz Scores

Comparing quiz scores before and after the training provides insights into the improvement in employees' understanding of the relevant security concepts.

Analysing individual question scores can also provide insights into specific areas where employees may need additional training or clarification, again, helping identify knowledge gaps and informs the development of targeted interventions to address those areas.

However, it's important to remember quiz scores alone may not capture behavioural changes or the practical application of security knowledge in real-world scenarios. Though, regularly monitoring, and analysing quiz scores does allow your organisation to assess the impact of security awareness training on knowledge acquisition and retention.

5. Security Incident Metrics

Depending on your organisation, these metrics may include the number of security breaches, malware infections, unauthorized access incidents, or other security-related events.

Comparing security incident metrics before and after the implementation of security awareness training allows your organisation to assess its effectiveness. If there is a decrease in security incidents over time, it suggests that the training has positively influenced employee behaviours and users' ability to identify and respond to security threats.

A decline in security incidents can indicate improved awareness, increased adherence to security policies and procedures, and better handling of potential risks. Most importantly, it demonstrates that employees are applying the knowledge and skills gained from the training, leading to a more secure environment.

Start trial icon

Try our Training for Free!

Start Now

6. Employee Feedback

Conducting surveys or gathering feedback through anonymous questionnaires allows employees to express their opinions openly and honestly. It is essential to include questions that assess employees' understanding of security best practices, their confidence in handling security incidents, and whether they found the training valuable and relevant to their roles.

Employee feedback can highlight areas where the training excelled and areas where improvements are needed. It can uncover specific challenges employees face in applying security practices and identify any knowledge gaps that may still exist after the training.

Analysing employee feedback also provides your organisation with valuable insights for refining and enhancing its future implementation of security awareness training programs. This feedback, combined with other evaluation methods, contributes to a holistic assessment of the training program's effectiveness and aids in developing more impactful and targeted security awareness initiatives.

7. Compliance Metrics

Key compliance metrics may include data classification accuracy, adherence to password policies, usage of multi-factor authentication, incident reporting rates, and overall compliance with security controls.

Comparing compliance metrics before and after the implementation of security awareness training provides insights into the training's effectiveness. If there is an improvement in compliance rates, it suggests that the training has positively influenced employees' understanding of security requirements and their ability to apply them in their daily work.

Higher compliance rates indicate that employees are actively implementing security measures and following established protocols, reducing the risk of security incidents and data breaches.

8. Completion Rates

High training completion rates demonstrate that employees are actively engaging with the training materials, which increases the likelihood of knowledge retention and behaviour change. It indicates that employees are investing the necessary time and effort to complete the training, which is essential for the training's effectiveness.

Regularly monitoring and analysing training completion rates allows your organisation to not only assess the overall effectiveness of security awareness initiatives, but also helps identify any barriers or challenges that may prevent employees from completing the training and enables you to make informed decisions to improve training accessibility, relevance, and engagement.

By encouraging high training completion rates and ensuring the content is valuable and engaging, you can maximise the impact of security awareness training and foster a culture of security among their workforce.

9. ROI

Calculating the Return on Investment (ROI) of security awareness training involves comparing the benefits gained from the program to the costs incurred. Key considerations for ROI analysis include the cost of the training program itself, the reduction in security incidents and associated costs, potential productivity gains, compliance-related savings, and improvements in employee retention and morale.

ROI calculations provide a financial perspective on the cost-effectiveness of the training initiative and help justify investments, optimise resource allocation, and support decision-making processes.

However, it's important to acknowledge that ROI calculations may not capture all intangible benefits, and it is crucial to continuously monitor and evaluate the effectiveness of the training program to refine ROI calculations over time.

10. Continuous Evaluation

This method of measurement involves ongoing monitoring, feedback collection, benchmarking, and incorporating lessons learned.

By continuously assessing the training program's metrics, gathering feedback, staying current with industry trends, and making iterative improvements, your organisation can ensure that training remains relevant and impactful in addressing evolving security threats.

Furthermore, continuous evaluation helps foster a culture of ongoing learning and improvement, allowing your organisation to proactively adapt training to effectively mitigate risks and enhance overall security posture.

Hut Six Training

At Hut Six, we believe that training should not only be engaging, but should provide real value to customers. Which is why delivering effective training is our ongoing goal.

Hut Six's Security Awareness Training program educates users to identify, avoid and report cyber threats, and is specifically designed to produce meaningful behavioural change.

Read more about Hut Six's Security Awareness Training

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


What is Personal Data? Definition & Types

What is Personal Data?

Learn about personal data, its types, and significance in data protection. Explore general and special category data, as well as pseudonymised and anonymised data under the GDPR.

GDPR Applications

Who Does GDPR Apply To?

Who Does GDPR Apply To? And Other Data Protection Questions/ Information Security blog by Information security awareness provider Hut Six Security.

Do AI Chatbots like ChatGPT Pose a Cybersecurity Risk?

Does ChatGPT Pose a Cybersecurity Risk

In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.

How to get Cyber Essentials Certification

How Do I Get Cyber Essentials Certified?

Learn how to obtain Cyber Essentials certification and enhance your organization's cybersecurity posture with our comprehensive guide. Our expert insights will help you navigate the certification process to meet the requirements for Cyber Essentials.

5 Essential Steps for Security Awareness Training

Essential Steps for Security Awareness Training

Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.

Malicious Insider Threats

Malicious Insider Threats - Meaning & Examples

Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.

What are the Biggest Breaches of 2022 (So Far)

5 Biggest Breaches of 2022 (So Far)

Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).

How to Audit for GDPR Compliance?

Auditing for GDPR Compliance

Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.

Ideas to Improve Employee Cyber Security?

Improving Employee Cyber Security

With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.

A Few Cyber Tips for your Organisation

5 Cyber Tips for your Business

Essential cyber tips for helping your business or SME improve information and cyber security.

Speak to us about your Cyber Awareness