How to measure the success of your security awareness programme

Wednesday 19th September 2018
by Ken Walshe

Ken Walshe

How to measure the success of your security awareness programme

A security awareness programme goes beyond security training. It educates employees about information and cyber security corporate policies and that data is a valuable corporate asset. A thorough security awareness programme will change behaviours and reduce risks.

Related post: Social Engineering – common techniques and how to prevent them

Four out of the top 5 incidents reported to the ICO UK Q4 2017 were human error related. This is often due to a simple lack of awareness. Successful security awareness programmes are fun, interactive, encourage participation and use a variety of tools, channels and media such as:

  • Email/Slack
  • Presentations
  • Staff newsletters
  • Posters
  • Quiz/competitions
  • e-learning
  • Email signature
  • Contact info to report suspicious activities
  • Simulated phishing attacks

The programme should continuously evolve with information on the latest trends and known campaigns to ensure everyone can see how quickly cyber-criminals change their approach.

How to measure the success of your security awareness programme

You need to know how successful your programme is so, of course, you need to measure it. Ongoing assessments should form part of the measurement programme and there should be a follow-up process to gather feedback on employees’ experience of the engagement and the improvements that can be made.

The SANS Institute suggests that there are two types of metrics to be measured – deployment and impact – are you changing behaviour? It advises that we use just a few metrics.

  1. Measure risk or behaviour
  2. Actionable
  3. Low cost
  4. Repeatable

Go Phishing to measure programme and identify vulnerable employees

The SANS Institute recommends sending a phishing email as it recreates exactly what the hackers are trying to achieve. It’s easy to implement, measurable, low cost and quickly identifies vulnerable employees (90% of victims are captured in the first hour and 30% to 60% will actually click).

But at the same time, don’t use content that might embarrass people and only give senior manager names of repeat offenders. Your objective isn’t to name and shame people, you just want people to learn and be more security conscious in both their home and at work.

Related post: Promoting a security culture in your business

How to Phish

  • Ensure email has 2-3 ways people can detect phish
  • Use URL shorteners to hide fake website domain
  • Use email marketing software
  • Send a cloud phishing attack
  • Disguise phish in a popular application (see info on Gmail phishing attack last year)
  • Use pen testing software (ethical hacking)

security awareness programme

What to do when they click?

You can either send them an automated email telling them it was a test, what they did was wrong and how to avoid it in the future or send an error message with no feedback. I think the first is the better option.

security awareness programme

Approx 24 hours after the campaign conclusion, send the report to employees to let them know what happened. Explain results and how to detect the phishing elements of the sent email.

You should also measure how many people reported the attack and set up a process on what to do when people continuously click on your test phishing emails. SANS offers the following options:

  1. First violation, employee notified with additional 1 on 1 training
  2. Second violation, employee notified and manager copied
  3. Third violation, manager to have meeting with employee and report results
  4. Fourth violation, employee reported to HR


Over time, the impact will lessen, but you will need to increase the complexity of your phishing emails.

  • Email quarterly: 19% click rate
  • Every other month: 12%
  • Monthly: 5%

You may also wish to incorporate a few spot checks and leave reminders for when other security measures have been met or overlooked.

Further information

The US-based National Institute of Standards and Technology (NIST) offers detailed information on how to go about setting up your own security awareness programme. There are also are some tips on how to make your organisation more secure in a Trilogy blog.

Join the discussion

Your email address will not be published. Required fields are marked *