How Do You Measure the Effectiveness of Security Awareness Training?

Key Takeaways

• Completion rates measure training activity, not risk reduction — track behaviour change instead
• Seven metrics prove effectiveness: reporting rates, repeat-clicker reduction, dwell time, real-world transfer, miss rates, knowledge retention, and incident correlation
• Expect 40% phishing click rate reduction in the first 90 days, with 86% reduction possible after 12 months of consistent training
• Academic research shows training doesn’t always work — success depends on frequency, personalisation, and supportive culture over punitive approaches
• Individual behaviour tracking may have legal implications under employment law and data protection regulations

Your security awareness programme has been running for six months. The completion dashboard shows green. The latest phishing simulation showed fewer clicks. But when leadership asks if this is actually working, you need better evidence than completion certificates.

According to a 2024 industry breach report, 68% of confirmed data breaches involved a human element. The median time to click a malicious link is just 21 seconds. This makes effectiveness of security awareness training a critical business question, not just an HR checkbox.

Most organisations measure whether training happened. Few measure whether it worked. This article provides seven metrics that prove your programme reduces actual risk — specifically calibrated for organisations six to twelve months into their security awareness journey.

Why Your Current Metrics Might Be Misleading

Training completion rates satisfy compliance requirements but don’t prove risk reduction. Research from a major healthcare organisation found no significant relationship between recent training completion and phishing resistance. Employees who had just finished annual training clicked malicious links at the same rates as those who hadn’t.

This disconnect exists because completion measures exposure to information, not absorption or application. An employee can click through a training module in the morning and fall for a phishing simulation that same afternoon.

Click rates from simulations can also mislead. Send an obvious scam this month and your numbers improve automatically. The difficulty of your phishing simulations affects results more than your training effectiveness. Without calibrating for simulation difficulty, click-rate comparisons between campaigns become meaningless.

The challenge intensifies at the six-to-twelve-month mark. Early programme metrics often look encouraging due to initial awareness spikes. But sustained behaviour change requires different measurement approaches than first-month enthusiasm.

What Results Should You Expect After 6-12 Months?

Industry benchmarking data from 2025, covering over 67 million simulated phishing tests across 62,400 organisations, provides realistic expectations for programme maturity.

The global baseline shows 33.1% of employees click malicious links before any training. After 90 days of consistent training and simulated phishing, this typically drops by around 40%. After 12 months, well-managed programmes achieve 4.1% click rates — an 86% reduction from baseline.

However, these figures mask important variations. Healthcare organisations face higher baseline risk at 41.9% due to high-pressure environments and urgent communication patterns. Smaller organisations (1-250 employees) typically start at 24.6% baseline, while large enterprises (10,000+ employees) often begin at 40.5%.

At the six-month mark, organisations should see consistent month-to-month improvement rather than dramatic single-month drops. Sustained programmes show steady progress. Programmes that plateau early often lack personalisation or have created a punitive culture that discourages honest reporting.

The 7 Metrics That Actually Prove Effectiveness

1. Phishing Reporting Rate (Simulation)

Track the monthly percentage of employees who correctly identify and report phishing simulations without clicking first. Industry data shows 20% of users report phishing in simulation exercises. This metric measures recognition speed and appropriate response behaviour.

Calculate this as: (Number who reported suspicious email ÷ Total number who received simulation) × 100. Target improvement: 5-10% increase every three months for organisations in the 6-12 month programme stage.

2. Real-World Threat Reporting Rate

This measures whether training transfers to actual threats. Track how often employees report genuine suspicious emails to your security team versus ignoring them. This proves your programme works in real scenarios, not just controlled simulations.

Collect data from your email security platform and help desk tickets. Look for month-over-month increases in legitimate threat reports. Sustained training programmes typically see 20-30% increases in real-world reporting within six months.

3. Repeat-Clicker Reduction Rate

Define repeat clickers as employees who click malicious links in three or more simulations over a six-month period. Track the percentage reduction in this group over time. Research shows targeted, personalised interventions can reduce repeat phishing victims by 63% within six months.

This metric is crucial because repeat clickers represent concentrated risk. Five percent of your workforce falling for every phishing attempt creates more exposure than random distribution across all employees.

4. Dwell Time (Time-to-Report)

Measure how quickly employees report suspicious emails after receiving them. Faster reporting means faster threat containment. Track the median time between email delivery and employee report submission.

Target benchmarks: under 30 minutes for obvious phishing attempts, under 2 hours for sophisticated attacks. Improvement in dwell time often predicts programme effectiveness better than click rate changes.

5. Miss Rate (Neither Click Nor Report)

Track employees who neither click malicious links nor report them — they simply ignore suspicious emails. While this avoids immediate compromise, it misses opportunities to alert the security team about active threats targeting your organisation.

Calculate as: (Total recipients – Clickers – Reporters) ÷ Total recipients × 100. High miss rates suggest employees recognise threats but don’t understand the importance of reporting them.

6. Knowledge Retention Score

Use brief monthly assessments to test retention of key concepts, not completion of training materials. Focus on practical recognition skills: identifying suspicious email characteristics, understanding social engineering tactics, knowing reporting procedures.

Aim for 80% accuracy on practical scenarios. Knowledge retention scores that improve month-over-month indicate effective learning, while static scores suggest training content needs refresh.

7. Security Incident Correlation

Track whether security incidents involving human error decrease as your programme matures. This requires correlation with your broader security incident data, but provides the clearest business impact measurement.

Look for reductions in: successful phishing compromises, credential theft incidents, malware installations from email attachments, and social engineering attempts that bypass technical controls.

How to Present These Metrics to Leadership

Leadership presentations require business language, not security jargon. Frame your metrics around risk reduction and potential cost avoidance rather than training activity.

Lead with the most compelling statistic: organisations with mature security awareness programmes reduce average data breach costs by $232,867 according to a 2023 industry cost analysis. With average breach costs reaching $4.44 million in 2025, this represents meaningful financial impact.

Structure your presentation around three questions leadership cares about:

1. Are we less likely to suffer a breach? Present your incident correlation data and real-world reporting improvements.
2. Are our people getting better at this? Show repeat-clicker reduction and knowledge retention trends.
3. How do we compare to similar organisations? Use industry benchmarks to contextualize your results.

Avoid technical metrics like click rates or completion percentages in executive presentations. Focus on business outcomes: faster threat detection, reduced successful attacks, and improved security culture indicators.

What the Research Actually Says About Training Effectiveness

Academic research presents a more nuanced picture than vendor marketing materials suggest. A large-scale 2025 study involving over 12,500 employees found that training interventions showed no statistically significant effects on click rates or reporting rates in controlled conditions.

However, this doesn’t mean training is ineffective. The same research confirmed that simulation difficulty significantly predicted user behaviour, and other studies demonstrate that sustained, frequent, personalised training can halve successful compromise rates within six months.

The key distinction lies in programme design. Annual mandatory training shows minimal impact. Monthly, targeted, supportive training with immediate feedback produces measurable behaviour change. For the most susceptible participants, punitive approaches often provide no additional benefit compared to supportive coaching interventions.

This research context explains why measuring effectiveness requires looking beyond simple before-and-after click rates. Your programme’s success depends on implementation quality, not just implementation fact.

Beyond Email: Measuring Multi-Channel Threat Awareness

Phishing has expanded beyond email. Voice phishing (vishing) increased 442% in 2024. SMS phishing (smishing), QR code attacks, and multi-factor authentication fatigue represent significant attack vectors that traditional email-only training misses.

Organisations measuring only email phishing click rates have systematically incomplete visibility into human risk. Consider expanding your measurement framework to include:

• Voice call social engineering simulations and reporting rates
• SMS phishing recognition and response testing
• Physical security awareness (tailgating, visitor challenges)
• Social media information gathering resistance

Platforms like Complorer are built specifically for this multi-channel approach — combining email phishing simulations with voice, SMS, and physical security testing so organisations get comprehensive human risk visibility rather than email-only blind spots.

Legal and Privacy Considerations

Individual employee behaviour tracking raises important legal considerations, particularly for organisations operating under European data protection regulations. Logging who clicked which simulation, assigning individual risk scores, and tracking personal performance metrics constitutes employee monitoring.

Before implementing detailed individual-level tracking, consult your legal and HR teams regarding:

• Data protection impact assessments under relevant privacy laws
• Employee consent requirements for monitoring activities
• Data retention periods for training and simulation results
• Individual rights regarding personal security training data

Many organisations find that aggregated, anonymised metrics provide sufficient programme insight without creating unnecessary legal exposure or damaging employee trust.

What Should You Do Next?

Start with three metrics from the framework above: phishing reporting rate, real-world threat reporting rate, and repeat-clicker reduction. These provide immediate insight into programme effectiveness without complex data collection requirements.

Establish baseline measurements this month, then track monthly changes over the next quarter. Focus on trends rather than single-month fluctuations. Sustained improvement over three months indicates genuine behaviour change rather than temporary awareness spikes.

Most importantly, frame these metrics around risk reduction when presenting to leadership. Your security awareness programme exists to prevent breaches, not to achieve high completion rates. Measure what matters: whether your people are actually getting better at spotting and reporting threats before they cause damage.

Frequently Asked Questions

How often should I measure security awareness training effectiveness?

Monthly measurement provides the best balance of useful data without over-measurement fatigue. Track behavioural metrics like reporting rates and click rates monthly, but assess knowledge retention quarterly. Annual measurement is insufficient for programme management and improvement.

What is a good phishing simulation click rate benchmark?

Industry benchmarks show 33.1% baseline click rates before training, dropping to approximately 20% after 90 days and 4.1% after 12 months of consistent training. However, these figures vary significantly by industry, organisation size, and simulation difficulty. Focus on your own improvement trend rather than absolute comparison numbers.

Should I track individual employee performance in security training?

Individual tracking has benefits for targeted intervention but raises privacy and employment law considerations. Many organisations achieve effective programme management using aggregated, anonymised data instead. Consult your legal and HR teams before implementing detailed individual performance monitoring.

How do I measure real-world security awareness beyond simulations?

Track actual threat reporting rates through your email security platform and help desk systems. Monitor security incident data for trends in human-error-related breaches. Measure time-to-report for genuine suspicious emails. These metrics prove training transfers to real scenarios rather than just simulation performance.

What should I do about employees who repeatedly fail phishing tests?

Research shows punitive mandatory retraining is often ineffective for the most susceptible participants. Instead, try personalised coaching, one-to-one explanation sessions, or role-specific training that addresses individual risk factors. Track whether supportive interventions improve subsequent reporting behaviour, not just click avoidance.

References

[1] Verizon Business. (2024). 2024 Data Breach Investigations Report.

[2] Rozema, A., et al. (2025). Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale.

[3] Merritt, M., et al. (2024). Building a Cybersecurity and Privacy Learning Program. NIST Special Publication 800-50 Rev.1.

[4] Anonymous. (2025). Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training and Emotional Triggers.

[5] IBM Security. (2025). Cost of a Data Breach Report 2025.