Do user awareness campaigns lower IT security risks?

In an era of IT consumerization, user behavior influences both information protection and information loss — as shown by data showing that user error was involved in 62 percent of incidents where information has been compromised.

Although organizations seek to address this risk by investing in awareness campaigns, these same organizations are often challenged to assess the effectiveness of such measures.

Data from the Corporate Executive Board shows that although 61 percent of organizations track user completion of training as the primary measure of success, only 7 percent say there is a demonstrable link between training and sustained behavior improvement.

Rather than focusing on user training completion, the most effective awareness campaigns should be built around an understanding of user behavior, targeting the riskiest users and their reasons for noncompliance as well as tracking metrics to ensure employee compliance with security policies.

A survey by the CEB’s Information Risk Executive Council showed that the primary metrics for measuring the success of user awareness campaign included the percentage of users completing training; year-over-year reduction in specific types of information caused by user error; and user understanding of security as evidenced by surveys.

A self-diagnostic quiz on the effectiveness of user awareness campaigns can be found below.

Organizational maturity test

Success of user awareness programs


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.