Beyond Click Rates

Security awareness programs often default to measuring success through phishing click rates, but true effectiveness requires a more comprehensive approach. This talk will explore how to build a robust security awareness metrics strategy that goes beyond surface-level engagement and creates a feedback loop for continuous improvement.

Attendees Will Learn How To:

- Identify and Track High-Risk Groups: Not all users pose the same risk. We’ll discuss why you should leverage metrics to track high-risk user groups—such as those with privileges access, frequent security violations, or those traveling to higher risk regions—and tailor education accordingly.

- Set and Measure Long-Term Training Goals: Measuring awareness requires a multi-year approach. This talk will outline strategies for setting meaningful security training goals over a 2–3 year period, including tracking improvements in user behavior, reporting rates, and secure decision-making.

- Develop Holistic Security Metrics: A strong awareness program integrates multiple data points—such as phishing simulation results, training completion, engagement with the security team, and security tool usage—to paint a clearer picture of a security awareness program. We’ll discuss how to aggregate these metrics into meaningful insights.

- Use Metrics as a Feedback Loop: Security awareness should not be a one-and-done effort. We’ll cover how to use metrics to refine content, adjust approach to engagements, and drive the direction of your security awareness program. By continuously analyzing metrics, teams can identify trends, adapt training approaches, and demonstrate measurable security improvements over time.

By the end of this session, security awareness professionals will walk away with a practical framework for tracking engagement metrics that truly reflect behavioral change, risk reduction, and the long-term impact of their awareness programs.