What are metrics for awareness success?
Click rates: percentage of employees clicking simulated **phishing** decreases over time. Baseline versus current shows improvement. Target varies by organization but sub-5% is often goal.
Reporting rates: percentage of **phishing** (real and simulated) reported increases. High reporting indicates security-conscious culture. Reporting matters more than just not clicking.
Time-based metrics: how quickly are threats reported, how many before someone clicks, and how does response time compare to industry benchmarks. Speed of detection indicates program maturity.
Was this answer helpful?
Thanks for your feedback!