Security Awareness Metrics

Security Awareness Metrics

Metrics give you the ability to track and measure the impact of your security awareness program. This can be used to improve your training, demonstrate return on investment, or compare your human risk to other organizations in your industry. These resources are developed for the community and unless otherwise stated are distributed under the Creative Commons BY-NC-SA 4.0 license. Please send any feedback on how to improve these resources to

Metrics Matrix

This spreadsheet identifies and documents different options for measuring your security awareness program. It includes metrics for both measuring impact (change in behavior) and for tracking compliance.

Measuring Human Risk - Survey

This twenty-five question survey acts as a Human Vulnerability Scanner, allowing you to measure certain human behaviors, beliefs and perceptions concerning information security. This survey was developed in part by Dr. Lance Hayden, author of IT Security Metrics.


Phishing assessments are one of the most effective ways to not only measure but reinforce the impact of your security awareness training.