Metrics and Measures



Every security initiative, including awareness programs, should be collecting metrics so that the effect of the program can be understood and the impacts of changes to the program can be tracked. Unlike measuring technical controls, measuring the effects of a security awareness program can be tricky, and as a result, few trainers track the long-term effectiveness of their awareness programs (Ponemon-SATrends-2014). According to a 2014 Ponemon study, the most common methods organizations use to track training impact is to measure the user’s knowledge right after training or to run user satisfaction surveys. While these metrics can be useful and easy to collect and measure over time, there are many other metrics that could also be considered. Unfortunately, not all metrics can be objectively measured, and the leaders of each organization need to determine which metrics will be informative for them in their unique situation. This makes defining and collecting metrics a mix of art and science. Despite the subjective nature of the problem, there are methods of gathering useful metrics that your organization can use to track the ongoing effectiveness of your security awareness program.


Security Awareness Program Specific Triggering Conditions Subjective Metrics Participatory Action Learning Visit Trends 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Ponemon. The state of information security awareness: Trends and developments. Technical report, Ponemon Institute, 2014.

Copyright information

© Jordan Schroeder 2017

Authors and Affiliations

  1. 1.EdinburghUK

Personalised recommendations