ELI5: What are Metrics?
A coach tracks how many goals the team scores and how many practices players attend. Security metrics do the same thing — they measure numbers like how many people clicked a fake phishing email or finished their training, so you can see if things are getting better.
Definition
Security awareness program metrics are quantitative measures used to evaluate the effectiveness of training efforts and the security behavior of the workforce. Key metrics include phishing simulation click rates, training module completion rates, incident reporting volumes, and mean time to report a suspicious event. These metrics enable organizations to identify high-risk populations, measure improvement over time, and demonstrate the ROI of security awareness investments.
Key Details
- Phishing click rate: percentage of employees who click a simulated phishing link; should decrease over time with training
- Training completion rate: percentage of employees who completed required training by the deadline; a compliance metric
- Incident reporting volume: number of suspicious events reported by employees; higher is better (indicates an active reporting culture)
- Mean time to report: how quickly employees escalate suspicious activity; shorter is better for reducing incident impact
- Metrics should be reviewed quarterly and used to target additional training to high-risk groups or departments
Connections
- Parent: security-awareness-training — metrics measure the effectiveness of awareness programs
- See also: phishing-simulations
- See also: culture-of-security