Analyzing The Impact Of A Security Awareness Training Program On An Organization
Assessing The Impact Of A Security Awareness Training Program
Isaas Lozada
Old Dominion University
CYSE 425W
Dr.Mehr
11/30/25
Assessing The Impact Of A Security Awareness Training Program
In order to gauge the strength of a Security Awareness Training program, I created an evaluation model known as a Cybersecurity Culture Maturity Model. The model will help a company understand where it currently ranks and where the areas of improvement are needed. The model below displays four levels of maturity.
| Level | Maturity | Culture Outlook | Behavior of Employee |
| 1 | Clueless | Security is strictly viewed as a responsibility of the IT Department. No training across departments. | Employees have no knowledge of threats, constant failure to phishing attacks, and do not report suspicious activity. |
| 2 | Compliant | Security known as a compliance issue. Training is an annual event conducted just to meet regulations. | Employees view security training as a boring task. Follow general rules but do not proactively defend. |
| 3 | Security Conscious | The majority of employees understand cyber vulnerabilities. The training program is regular and reports are encouraged. | The majority of employees can identify phishing attacks and are more likely to report mistakes or suspicious activity. |
| 4 | Security Resilient | Security is a top priority within the company. All employees understand the duty of defending the company. | Employees work with the security team often. Possess a proactive mindset against threats and report intelligent attacks. |
A Security Awareness Training program is the strongest cybersecurity policy, because it is the only strategy that targets the lapses of the human element. However, for a strategy to be deemed “effective”, it must be measured by its success. The strength of a security awareness program can be audited by using a two part approach that combines quantitative metrics with a qualitative framework that I have created known as the “Cybersecurity Culture Maturity Model”. This evaluation is not only about identifying a single number. It is solid proof that a program is proactively changing employee behavior and bolstering the company’s security culture over time.
We must first understand how experts gauge these policies. In scholarly and industry reports, the assessment directly focuses on multiple data-driven metrics. Experts at top organizations like the SANS institute advise to track the phishing simulation click rate, which is the percentage of employees who fail when tested during a simulated phishing attack (Spitzner, 2023). Another essential metric is the employee report rate. How frequently are employees reporting malicious emails? A valid program will display the click rate depleting over time while the reporting rate improves drastically. The metrics will provide a definite, numerical proof that employees are understanding how to spot attacks and are becoming proactive participants in defending the company’s assets (Collard et al., 2024).
My own assessment will use these industry certified metrics as the foundation, but the assessment will also involve these metrics into my Cybersecurity Culture Maturity Model. The model will provide the exact context for what the numbers actually represent. My model has four tiers: Clueless, Compliant, Security-Aware, and Security Resilient. The quantitative data is what creates the place for a company on this model. A high click rate paired with a low report rate indicates that an organization is at Tier 1, “Clueless.” With improvement of the metrics, an organization can provide solid proof that their company is elevating up to the “compliant” tier in pursuit of the “Security-Aware” tier.
When gauging the effectiveness of this strategy, we must account for the social, ethical, and political implications. The main challenge with ethics is that the phishing scenarios must actively trick your own employees. That is why the analysis must be used as a tool for empowering not punishing employees. If these metrics are used by the company to punish employees or departments, it will breed a culture that revolves around fear and secrecy, where employees stash their faults (Karyda, 2007). The evaluation must be used as a tool for positivity and educational function.
This evaluation would perfectly produce success. The assessment would provide leadership with the exact results that they want to see reflected. Leadership wants to identify that metrics show a return on investment and a crystal clear model that displays total improvement in the organization’s security hygiene. This program is not just used to check a box for compliance,
it is viewed as an investment that reduces the organization’s human risk. This is the perfect gauge to assess the impact of the strategy.
References
Collard, A., Colbert, M., Gillet, J., Huisman, J. G., & Kron, E. (2024, November 1). 2024 phishing attack landscape and benchmarking the data you need to know.
https://www.knowbe4.com/hubfs/final_2024_phishing_benchmark_report.pdf?hsLang=en
Karyda, M. (2007, September 18). Fostering Information Security Culture In Organizations: A Research Agenda. https://files.core.ac.uk/.
https://core.ac.uk/download/pdf/301373754.pdf
Spitzner, L. (2023, July 25). Sans 2023 security awareness report: Managing human risk. SANS Institute.
https://www.sans.org/blog/sans-2023-security-awareness-report-managing-human-risk