How Do You Measure the Effectiveness of Security Awareness Training?

Key Takeaways

• Completion rates measure compliance, not security improvement — focus on behavioural metrics instead
• Expect a 40% reduction in phishing susceptibility within 90 days, 86% reduction after 12 months with consistent training
• Real-world threat reporting rate proves training transfers beyond simulations
• Recent controlled studies show traditional training approaches often fail — sustained, frequent programmes work better
• Track individual behaviour carefully due to potential employment law and data protection implications

You’ve been running your security awareness programme for six months. The completion dashboard shows green. The latest phishing simulation recorded fewer clicks. Then leadership asks the inevitable question: “Is this actually working — and should we continue funding it?” That question deserves a better answer than a screenshot of completion certificates.

According to a 2024 industry breach report, 68% of confirmed data breaches involved a human element. With the global average breach cost reaching $4.44 million in 2025, proving your training programme reduces real risk isn’t just good practice — it’s business critical.

This article provides seven evidence-based metrics that demonstrate genuine security improvement, calibrated specifically for organisations 6-12 months into their programmes who need to justify continued investment.

Why Your Current Metrics Are Misleading You

Most security awareness programmes track the wrong things. Training completion rates hit 100%. Click-through certificates get filed. Compliance boxes get ticked. But none of this proves employees can actually spot a real attack.

A 2025 healthcare study examined 19,500 employees and found no significant relationship between recent training completion and phishing resistance. Employees who had just finished annual training clicked malicious links at the same rates as those who hadn’t trained in months.

The problem runs deeper than most organisations realise. A controlled study published in 2025 involving 12,511 employees at a financial services firm found training interventions showed no statistically significant effect on click rates or reporting behaviour. The research concluded that traditional awareness training approaches — typically annual, compliance-driven programmes — largely fail to change real-world behaviour.

This doesn’t mean all training fails. It means poorly designed training fails, and most current measurement approaches can’t tell the difference.

What Should Your Numbers Look Like After 6-12 Months?

Industry benchmark data from 67.7 million simulated phishing tests across 62,400 organisations provides clear staging expectations for programmes like yours.

At baseline, before any training, the global average phish-prone percentage sits at 33.1%. This means roughly one in three employees will click a malicious link or enter credentials when targeted.

After 90 days of consistent training and simulation, expect approximately a 40% reduction in susceptibility. By the 12-month mark, well-run programmes typically achieve an 86% reduction, bringing click rates down to around 4.1%.

However, these benchmarks assume continuous, behaviour-focused training — not annual compliance modules. If your programme runs quarterly or annually, these timelines extend significantly.

Size and Sector Matter

Your organisation’s size and industry influence what “good” looks like. Smaller organisations (1-250 employees) typically start with a lower baseline phish-prone percentage of 24.6%, while large enterprises (10,000+ employees) often begin at 40.5%.

Healthcare and pharmaceutical organisations face the highest baseline risk at 41.9%, reflecting the valuable data they hold and the sophisticated attacks they attract.

The 7 Metrics That Actually Prove Effectiveness

Move beyond completion rates and click statistics. These seven metrics demonstrate genuine security improvement that will satisfy leadership scrutiny.

1. Phishing Reporting Rate

Track the percentage of employees who identify and report simulated phishing attempts rather than ignoring them. Industry data shows 20% of users report phishing during simulation exercises, but this varies significantly based on programme maturity and organisational culture.

Target a reporting rate above 15% within six months. More importantly, track the trend — a steady increase in reporting demonstrates growing security awareness across your workforce.

2. Real-World Threat Reporting Rate

This metric separates simulation performance from actual security behaviour. Monitor how often employees report genuine suspicious emails, not just test messages.

Compare monthly reports of real threats against the volume of actual malicious emails reaching your organisation. A programme that increases real-world reporting demonstrates practical security value beyond simulation scores.

3. Repeat-Clicker Reduction Rate

Define repeat clickers as employees who fail three or more phishing simulations within a six-month period. Track how this group responds to targeted intervention.

Research shows targeted, personalised training can reduce repeat phishing victims by 63% within six months. However, avoid punitive approaches — academic studies demonstrate mandatory additional training provides no benefit for the most susceptible participants.

4. Average Time to Report

Measure how quickly employees report suspicious emails after receiving them. Faster reporting reduces the window for successful attacks across your organisation.

Industry data shows the median time to click a malicious link is just 21 seconds. Employees who report threats within two hours significantly limit potential damage from real attacks.

5. Knowledge Retention Score

Test practical security knowledge monthly through brief assessments, not lengthy training modules. Focus on current threat recognition rather than policy memorisation.

Track knowledge retention over time. Sustained scores above 80% indicate information is moving from short-term compliance to genuine understanding.

6. Security Incident Frequency

Connect your awareness programme metrics to actual security incidents. Track monthly reports of successful phishing attacks, credential compromises, or malware infections that originated from employee actions.

This lagging indicator provides the clearest business case for programme effectiveness. Research indicates mature security awareness programmes can reduce average breach costs by $232,867.

7. Miss Rate

Track employees who neither click nor report during phishing simulations. This “miss rate” represents a hidden risk — people who might ignore real threats entirely.

A high miss rate often indicates simulation fatigue or unclear reporting processes. Address this through programme design changes rather than additional training volume.

How Do You Account for Simulation Difficulty?

Not all phishing simulations test the same skill level. A 15% click rate on an obvious scam means something entirely different from 15% on a sophisticated, targeted attack.

The government’s cybersecurity framework includes a Phish Scale that rates email difficulty using observable characteristics like sender legitimacy, urgency indicators, and request plausibility. Controlled research confirms this scale predicts user behaviour — click rates increase from 7.0% for easy simulations to 15.0% for difficult ones.

Calibrate your click-rate expectations against simulation difficulty. Consistent performance against progressively harder tests demonstrates genuine skill development, not just familiarity with obvious scams.

What About Multi-Channel Attacks?

Email phishing represents only one attack vector. Threat intelligence shows a 442% increase in voice phishing attacks during 2024, while AI-supported social engineering now represents over 80% of observed attacks worldwide.

Modern programmes should test employee responses to:

• SMS phishing (smishing) attempts
• Voice phishing (vishing) calls
• QR code-based attacks
• Multi-factor authentication fatigue attacks

Measuring only email click rates provides a systematically incomplete picture of your organisation’s human risk exposure.

How Do You Present These Numbers to Leadership?

Transform your metrics into a business-focused narrative that non-technical executives can act on. Structure your quarterly report around three key messages:

Risk reduction: “Our phishing susceptibility dropped from 33% to 12% this quarter, representing a 64% reduction in human-related breach risk.”

Detection capability: “Employee threat reporting increased 40% quarter-over-quarter, with average reporting time improving from 4 hours to 45 minutes.”

Cost avoidance: “Based on industry breach cost data, our programme improvements represent approximately $150,000 in estimated cost avoidance this quarter.”

Lead with outcomes, not activities. Avoid jargon. Connect every metric to business risk or operational benefit.

What the Research Actually Says About Training Effectiveness

The evidence on security awareness training effectiveness is more nuanced than most vendors acknowledge. While industry benchmark reports show impressive improvement statistics, recent academic research reveals significant limitations in traditional approaches.

A landmark 2025 study involving over 12,000 employees found no statistically significant training effects on clicking or reporting behaviour in a controlled environment. This directly challenges the conventional wisdom that any training automatically reduces risk.

However, other research demonstrates that sustained, frequent, behaviour-focused programmes do work. Studies tracking employees over 15 months show that continuous simulation and targeted coaching can halve successful compromise rates within six months.

The key distinction appears to be programme design and frequency. Annual compliance training largely fails. Monthly simulation with personalised feedback succeeds. Your measurement approach should account for this difference.

Legal and Privacy Considerations

Tracking individual employee behaviour through phishing simulations creates potential employment law and data protection implications, particularly under regulations like GDPR.

Individual click tracking, risk scoring, and detailed behavioural logging constitute employee monitoring. Before implementing comprehensive individual-level tracking, consult your legal and HR teams about data protection impact assessments and employment law requirements in your jurisdiction.

Consider whether aggregate reporting meets your measurement needs while reducing legal complexity and maintaining employee trust.

How Do You Avoid Creating a Blame Culture?

How you communicate measurement affects the data itself. Employees who feel surveilled rather than supported stop reporting suspicious emails — they don’t want association with another “failure.”

Frame metrics collection as programme improvement, not individual assessment. Emphasise that clicking a simulation provides valuable learning, not evidence of incompetence. Make clear that reporting suspicious emails — whether simulations or real threats — represents positive security behaviour.

Platforms like Complorer are designed specifically to balance effective measurement with supportive employee experience, focusing on positive reinforcement rather than punitive tracking.

What Should You Do Next?

Start with the three highest-impact metrics: phishing reporting rate, real-world threat reporting, and repeat-clicker reduction. These provide immediate insight into whether your programme creates genuine behavioural change.

Benchmark your current numbers against the industry standards provided above, adjusted for your organisation size and sector. If you’re significantly below benchmark after six months of training, consider increasing simulation frequency or improving programme design rather than adding more content.

Most importantly, connect your security awareness metrics to broader business risk indicators. Leadership invests in programmes that demonstrably reduce organisational risk, not ones that merely satisfy compliance requirements.

Frequently Asked Questions

What’s a good phishing click rate after 6 months of training?

Industry benchmarks suggest a 40% reduction from baseline within 90 days, continuing to approximately 15-20% click rate by month six for most organisations. The exact target depends on your baseline, simulation difficulty, and training frequency.

How often should you run phishing simulations to see improvement?

Research supports monthly simulations for optimal results. Quarterly or annual testing provides insufficient feedback loops for behavioural change. Weekly simulation may create fatigue and resentment.

Should you track individual employee performance or only team averages?

Individual tracking enables targeted coaching but raises legal and cultural concerns. Many organisations achieve effective measurement through team or departmental averages combined with anonymous individual coaching for repeat clickers.

What if your click rates aren’t improving despite training?

Static click rates after six months typically indicate programme design issues, not employee problems. Consider increasing simulation frequency, improving feedback quality, or addressing simulation fatigue through varied attack scenarios.

How do you measure security awareness training ROI?

Calculate ROI using breach cost avoidance based on risk reduction percentages and industry average breach costs. A programme reducing breach likelihood by 50% theoretically avoids $2.22 million in potential costs based on current industry averages.

References

1. Verizon Business. (2024). 2024 Data Breach Investigations Report.
2. Rozema, A., et al. (2025). Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction.
3. Merritt, M., et al. (2024). Building a Cybersecurity and Privacy Learning Program. NIST SP 800-50 Rev.1.
4. Anonymous. (2025). Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training.
5. IBM Security. (2025). Cost of a Data Breach Report 2025.