TLDR: Most security awareness programs score 1 out of 4 on the maturity scale because they track completion rates instead of behavior. This framework scores your program across five metrics and gives you a 90-day roadmap to reach Level 3 or 4.
Your quarterly report shows 94% training completion. The board nods. Compliance is satisfied. Six months later, a finance clerk clicks a fake invoice and your incident response team spends a week containing the fallout.
Completion rate was never the right metric. It measures who sat through a video, not who changed their behavior. NIST SP 800-50 Rev. 1 explicitly calls for evaluating awareness programs for effectiveness, not just logging completions.1 The guidance separates awareness (broad culture) from training (role-based skills) and demands outcome metrics in the post-implementation phase.
Yet 49% of US senior tech leaders still rely on employee quiz results to measure training effectiveness.2 Quizzes test recall under calm conditions. Simulations test behavior under pressure. The gap between those two numbers is where attackers operate.
The problem is not a lack of data. It is a lack of a scoring model that turns data into action. This framework solves that.
The Framework
The Security Awareness Measurement Framework scores programs across five behavioral metrics on a four-level maturity scale:
| Level | Name | What It Means |
|---|---|---|
| 1 | Reactive | Tracking completion and basic click rates. No trend analysis. |
| 2 | Emerging | Tracking trends for 2+ metrics. Interventions are manual. |
| 3 | Managed | Tracking all five metrics with automated interventions and quarterly board reporting. |
| 4 | Optimized | Predictive risk scoring, real-time behavioral dashboards, and defensible ROI calculations tied to breach cost avoidance. |
Score each metric from 1 to 4. Your program maturity is the average. Most organizations score between 1.0 and 1.8. Programs that actually reduce breaches score 3.0 or higher.
Metric 1: Phishing Simulation Click Rate Trend
This is the baseline behavioral indicator. KnowBe4’s 2025 Phishing by Industry Benchmarking Report, based on 67.7 million simulated phishing tests across 14.5 million users in 62,400 organizations, found a global average baseline Phish-prone Percentage (PPP) of 33.1%.3
| Level | Criteria | Evidence Standard |
|---|---|---|
| 1 | Running simulations but only reporting point-in-time click rates per campaign | Single-campaign snapshots with no baseline comparison |
| 2 | Tracking click rate trend over 90+ days with baseline established | Chart showing baseline PPP and at least two follow-up measurements |
| 3 | Quarterly trend reporting with template rotation and industry benchmarking | Click rate tracked by department/role against internal and external benchmarks |
| 4 | Predictive modeling that flags template fatigue and auto-adjusts difficulty | Algorithmic difficulty calibration with documented correlation to real-world threat intelligence |
How to advance: If you are at Level 1, run a baseline simulation across your full user base this week. Record PPP by department. Set a 90-day remeasurement cadence. At Level 2, rotate simulation templates monthly to prevent users from learning your style instead of attack patterns. At Level 3, benchmark against KnowBe4’s industry-specific data and report trends, not snapshots.
After 90 days of combined computer-based training and simulated phishing, PPP drops by over 40%. After 12 months, it falls by 86% — from 33.1% down to 4.1%.3 But those numbers only materialize if you measure continuously, not per-campaign.
Metric 2: Reporting Rate
Click rate measures failure. Reporting rate measures the behavior you actually want: employees spotting threats and escalating them to your SOC.
| Level | Criteria | Evidence Standard |
|---|---|---|
| 1 | No reporting rate tracked | Cannot produce a percentage |
| 2 | Tracking simulation reporting rate manually | Spreadsheet or dashboard with monthly reporting counts |
| 3 | Tracking both simulation and real-threat reporting rates with trend analysis | Dual-rate dashboard showing correlation between training and operational reporting |
| 4 | Real-time reporting with automated SOC triage integration | Mean time from employee report to SOC ticket under 5 minutes |
How to advance: At Level 1, add a “Report Phishing” button to your email client today. At Level 2, set a target. Hoxhunt recommends an average simulation reporting rate of 70% or higher per employee as a benchmark for strong coverage.4 At Level 3, track two rates: simulation reporting (training behavior) and real-threat reporting (operational behavior). When the two trend together, your training is transferring to real incidents.
Beauceron Security’s large-scale study of 6,293 employees across 257 organizations found that employees who completed a post-click reflective survey and follow-up training increased their reporting rate by 18% on average in the six months following the intervention.5 The mechanism is simple: reporting-focused programs create positive reinforcement loops that completion-only programs cannot match.
Metric 3: Mean Time to Report (Dwell Time)
Speed matters. The time between a phishing email landing in an inbox and the first employee report reaching your SOC is one of the strongest predictors of breach severity.
| Level | Criteria | Evidence Standard |
|---|---|---|
| 1 | No dwell time measurement | Cannot produce median hours |
| 2 | Manual calculation of time-to-report for reported simulations | Log review showing delivery timestamp to SOC notification timestamp |
| 3 | Automated dwell time tracking with median and percentile reporting | Dashboard showing median dwell time with 90th and 10th percentile outliers |
| 4 | Dwell time integrated with SOAR playbooks for automatic containment | SOC workflow triggers on sub-threshold dwell times without human intervention |
How to advance: At Level 1, start timestamping your next 10 reported simulations. Calculate median hours manually. At Level 2, build a simple script that parses email headers against your ticketing system. At Level 3, set targets based on your baseline. Adaptive Security research ties dwell time directly to cost: breaches detected in under 200 days cost millions less than those that linger.6
IBM’s 2025 Cost of a Data Breach Report found that organizations using AI and automation extensively shortened breach times by 80 days and lowered average costs by $1.9 million.7 But automation only helps if the SOC knows about the threat. Employee reporting is the trigger. When your awareness program shortens the window between email delivery and SOC notification, you are saving measurable money.
Metric 4: Repeat Offender Rate
Not all employees carry equal risk. KnowBe4’s data shows that large organizations (10,000+ employees) face a higher initial phishing risk, with a baseline PPP of 40.5% compared to 24.6% for organizations with 1–250 employees.3
But risk is also concentrated at the individual level. Mimecast research shows that just 8% of employees account for 80% of security incidents.8 These are not malicious actors. They are well-intentioned employees who become liabilities through fatigue, distraction, or role-specific exposure.
| Level | Criteria | Evidence Standard |
|---|---|---|
| 1 | No repeat offender tracking | Cannot identify users who fail multiple simulations |
| 2 | Manual list of users with 2+ clicks in 90 days | Spreadsheet or flagged user list with click counts |
| 3 | Automated repeat offender flagging with targeted intervention assignments | Workflow that assigns micro-training within 24 hours of a second click |
| 4 | Predictive risk clustering that identifies at-risk users before they click | Behavioral model flagging users based on role, email exposure volume, and historical patterns |
How to advance: At Level 2, define “repeat offender” as any user who clicks two or more simulations in a 90-day window. At Level 3, build an automated intervention: second click triggers a 5-minute reflective exercise plus role-specific training within 24 hours. Beauceron’s study found that almost two-thirds of repeat clickers had zero incidents in the six months after completing reflective follow-up.5 At Level 4, integrate email gateway data to identify users who receive the highest volume of external mail — they need pre-emptive elevation, not post-click punishment.
Metric 5: Human Risk Score Trend
This is the capstone metric. Individual human risk scores aggregate simulation behavior, training completion, credential breach history, and real-incident reporting into a single dynamic indicator per employee.
| Level | Criteria | Evidence Standard |
|---|---|---|
| 1 | No composite risk scoring | Decisions made per-metric without aggregation |
| 2 | Static risk scoring updated monthly or quarterly | Spreadsheet with weighted formula recalculated periodically |
| 3 | Dynamic risk scores updated in real time with automated response triggers | Dashboard with drill-down by department, role, and geography |
| 4 | Predictive human risk modeling with board-ready breach cost avoidance calculations | Quarterly report showing estimated cost avoidance based on risk-reduced headcount |
How to advance: At Level 2, build a simple weighted formula: 40% click rate trend, 25% reporting rate, 20% repeat offender status, 15% training completion. Update monthly. At Level 3, automate the calculation and add triggers: users scoring above 70 on a 100-point scale get additional simulations; users below 30 get reduced frequency to avoid alert fatigue.
Mimecast’s State of Human Risk 2026 report found that despite 93% of cybersecurity leaders believing cross-platform visibility improves human risk management, less than one-third (29%) say they actually have excellent visibility with individualized risk scores per employee.8 That leaves 71% who cannot tailor their approach because they do not know how each person contributes to risk.
For MSSPs managing multiple clients, human risk scores transform reporting from compliance documentation into a client-facing risk dashboard. Quarter-over-quarter score trends and reductions in high-risk employee counts are metrics that justify retainer costs and demonstrate value without requiring a breach to prove ROI.
How to Score Your Program
Calculate your maturity score in 15 minutes:
- For each metric above, honestly assess which level you meet today.
- Average the five numbers. Round to one decimal.
- Read your result:
| Score | Maturity | What It Means |
|---|---|---|
| 1.0–1.4 | Reactive | Compliance-driven. Activity reported, outcomes unknown. |
| 1.5–2.4 | Emerging | Some trends tracked. Interventions are ad hoc. |
| 2.5–3.4 | Managed | Full metric coverage with automated workflows and quarterly board reporting. |
| 3.5–4.0 | Optimized | Predictive modeling, real-time dashboards, and defensible ROI tied to breach cost avoidance. |
Most organizations scoring below 2.0 have the data they need buried in their phishing simulation platform. They lack the framework to extract meaning from it.
The 90-Day Roadmap to Level 3
Days 1–30: Baseline and Visibility
- Run a baseline phishing simulation across 100% of users. Record PPP by department and role.
- Enable the “Report Phishing” button in your email client. Start counting simulation reporting rates.
- Pull the last 12 months of simulation data. Identify repeat offenders (2+ clicks in 90 days).
- Calculate a static human risk score for every employee using the weighted formula above.
Days 31–60: Automation and Intervention
- Build a monthly trend report for click rate and reporting rate. No snapshots. Only trends.
- Implement automated micro-training: any click triggers a 3-minute module within 24 hours. Second click triggers a reflective exercise plus manager notification.
- Start tracking dwell time manually on your next 20 reported simulations. Target: measure it, then improve it.
Days 61–90: Integration and Reporting
- Move from static to dynamic risk scoring. Automate the weighted formula with weekly recalculation.
- Build a one-page executive summary with five numbers: click rate trend, reporting rate, median dwell time, repeat offender rate, and human risk score trend.
- Present to leadership with financial context. The IBM Cost of a Data Breach Report 2025 found the global average cost reached $4.44 million, with employee security training ranking among the top ten cost-reducing factors.7
PhishSkill’s industry research found that the 33% of organizations that calculate security awareness training ROI report returns ranging from 3.5x to 6.5x depending on sector and methodology.9 The two-thirds that cannot calculate ROI lack systematic outcome measurement — they track spending, not avoided cost.
What Symbol Security Provides at Each Level
Moving from Level 1 to Level 4 requires tooling that most organizations do not have time to build. Symbol Security’s platform covers the stack:
AI-Powered Phishing Simulations with adaptive difficulty and industry-specific templates handle Level 2 and 3 template rotation automatically. The platform adjusts lure complexity based on historical performance, preventing the template fatigue that corrupts click-rate trends.
Behavioral Analytics Dashboard provides real-time human risk scoring, trend visualization, and drill-down by department, role, and client — enabling Level 3 and 4 metric tracking without manual spreadsheet maintenance.
Automated Remediation Workflows trigger micro-training within hours of a failed simulation and flag repeat offenders for escalation. This closes the gap between detection and intervention that manual programs leave open for days.
MSSP Multi-Tenant Console delivers white-label reporting, client segregation, and consolidated billing — turning human risk scores into client-facing dashboards that justify retainer value.
API + SIEM Integrations connect phishing simulation data to Splunk, Microsoft Sentinel, and Sumo Logic, enabling Level 4 dwell-time automation and SOAR playbook triggers based on employee-reported threats.
References
[1] NIST, “SP 800-50 Rev. 1 — Building a Cybersecurity and Privacy Learning Program,” 2023. https://csrc.nist.gov/pubs/sp/800/50/r1/final
[2] Infrascale, cited in Guardz, “40 Security Awareness Statistics MSPs Can’t Ignore in 2026.” https://guardz.com/blog/security-awareness-statistics-msps-cant-ignore/
[3] KnowBe4, “2025 Phishing By Industry Benchmarking Report,” 2025. https://www.knowbe4.com/press/knowbe4-report-reveals-security-training-reduces-global-phishing-click-rates-by-86
[4] Hoxhunt, “Security Awareness Metrics That Matter: Predicting Breach Reduction,” November 2025. https://hoxhunt.com/blog/security-awareness-metrics
[5] Beauceron Security, “New Research Shows Why Employees Click On Phishing Emails,” study of 6,293 employees across 257 organizations, December 2023 – August 2025. https://www.beauceronsecurity.com/blog/new-research-shows-why-employees-click-on-phishing-e-mails
[6] Adaptive Security, “Best Practices for Security Awareness Training in 2026,” citing IBM Cost of a Data Breach Report 2025. https://www.adaptivesecurity.com/blog/security-awareness-training-best-practices-2026
[7] IBM Security and Ponemon Institute, “Cost of a Data Breach Report 2025,” July 2025. https://www.ibm.com/reports/data-breach
[8] Mimecast, “The State of Human Risk 2026,” based on survey of 2,500 IT security decision makers across nine countries. https://www.mimecast.com/blog/the-state-of-human-risk-in-2026/
[9] PhishSkill, “Security Awareness Training ROI Benchmarks 2026.” https://www.phishskill.com/blog/security-awareness-training-roi-benchmarks