Speaker 1: So, if you're interested in how to measure success for awareness, there's actually a number of different ways to do that. Many are included within the console of the security awareness provider that you've chosen, like KnowBe4. We can help you measure what's called fish-prone percentage, so you understand how susceptible your people are to being attacked through the phishing vector before any type of awareness that you do. And then ultimately, after running those awareness campaigns over time, you see the effectiveness of that because the fish-prone percentage for your people will go down. Another way is to measure the security culture of your organization across the seven different dimensions that we talk about. And then here's the really important thing to realize. If you can imagine a behavior that's important for your organization when it comes to human-based risk, you can usually find a way to measure it. And the example that I like to give is, if you're trying to encourage people to use the shredding bins more in your offices, then measure the weight or the volume within your shredding bins before you've done any type of awareness campaign on that. Then run your awareness campaign and measure the volume for a period of time after that. Then run the campaign again and measure after that. Ultimately, you should see a behavioral change. And if you don't, then find a way to change that a little bit. You put a poster over it in addition to the video that you sent out or whatever that first mechanism was. But ultimately, if you can think of a behavior that you want to change, you can also find a way either digitally or physically to measure that, and then you can start to change that or you can start to show that improvement over time.

Speaker 2: When you look at your program as a project to start with, one of the first steps is to define its intent, regulatory and compliance requirements, training needs, simulated social engineering you'll be doing, key success measures and reporting. You'll uncover benefits to your organization along the way during this big step, and you'll be able to list them all down to present back to your executive team when you're asking for their sign-off and support, as well as when you present it to your end users, the people of your organization, because when they can see the benefits and understand what's in it for them and why it's so critical that they have an important role to play. And remember, your benefit also needs to link back to the initial intent of your program.

Speaker 3: It's important to work out what your measurements and baselines are before you embark on a security awareness campaign. That way you will know through the process of how you're performing and what the benefits it's bringing. Some things are easier to measure than others, so you can measure things like click-through rate on phishing emails or the number of phishing emails reported by your staff. But then there are broader behaviors, and those are things that you would need to capture separately using some internal tools or surveys or just observing general behavior. And through that, you can measure to see what difference is made and the improvements it's made to your overall organizational risk profile.

Speaker 4: When it comes to measuring the success for your security awareness program, it's always important to have metrics. It's what's going to help drive the decisions for upper management for keeping with the program and keeping it going. And with metrics, one of the key ones for us, of course, is the phish-prone percentage. Having a way to be able to measure how well people are not falling for those social engineering scams or those phishing emails that are coming in, and being able to measure that over time, giving yourself that baseline, and then reporting on it on a monthly basis on how either different parts of the organization, different departments, or even the organization as a whole is doing it. So that way, management can focus on making sure that the users in that department can effectively recognize a phishing test. So essentially, having that metric of your phish-prone percentage is going to go a long

Speaker 5: way. So there are a couple of indicators that can be used to measure the effectiveness of your security awareness program. A really good one would be to conduct a security culture or security proficiency assessment right at the beginning of your journey. And that will also highlight any weaknesses that you may want your program to focus on. And then if you run that again after 12 months or so, it will actually show your improvements over time. And then phish-prone percentage, as well as phish reporting numbers, are also good metrics to report on. But they always need to be reported in context because, for example, a really easy to spot phish will result in a much lower percentage than, for example, a much more sophisticated spear phishing type of simulation.