Engagement & Awareness
How individuals participate in and retain knowledge from security education and engagement activities.
Indicators
An observed identity opens simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity clicks links in simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity enters credentials on websites linked from simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity opens file attachments to simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity fails to report simulated phishing emails after opening during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity deletes simulated phishing emails without reporting during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity responds to simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity reports simulated phishing emails during awareness exercises, demonstrating resilience to phishing attacks.
An observed identity forwards simulated phishing emails to security team during awareness exercises, demonstrating resilience to phishing attacks.
An observed identity provides helpful feedback on simulated phishing emails during awareness exercises, demonstrating resilience to phishing attacks.
An observed identity opens simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity responds to simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity fails to report simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks.
An observed identity reports simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating resilience to phishing attacks.
An observed identity ignores or deletes simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating resilience to phishing attacks.
An observed identity fails to respond to simulated fraudulent MFA prompts during awareness exercises, demonstrating susceptibility to attacks.
An observed identity marks simulated fraudulent MFA prompts as mistaken during awareness exercises, demonstrating susceptibility to attacks.
An observed identity denies simulated fraudulent MFA prompts and reports them during awareness exercises, demonstrating resilience to attacks.
An observed identity responds promptly with the correct action during awareness exercises, demonstrating security resilience and compliance.
An observed identity fails to respond to emergency notification test during awareness exercises, demonstrating non-compliance with security best practices.
An observed identity responds to emergency notification test during awareness exercises, demonstrating compliance with security best practices.
An observed identity verifies receipt of emergency communications through proper channels during awareness exercises, demonstrating compliance with security best practices.
An observed identity completes in-person trainings, demonstrating compliance with security best practices.
An observed identity has overdue trainings, demonstrating non-compliance with security best practices.
An observed identity fails to attempt assigned trainings, demonstrating non-compliance with security best practices.
An observed identity fails assigned trainings, demonstrating non-compliance with security best practices.
An observed identity completes assigned trainings late, demonstrating non-compliance with security best practices.
An observed identity skips assigned trainings, demonstrating non-compliance with security best practices.
An observed identity completes assigned trainings, demonstrating compliance with security best practices.
An observed identity completes assigned trainings on time, demonstrating compliance with security best practices.
An observed identity passes assigned trainings, demonstrating compliance with security best practices.
An observed identity attempts assigned trainings, demonstrating compliance with security best practices.
An observed identity re-attempts failed trainings, demonstrating compliance with security best practices.
An observed identity engages with optional trainings, demonstrating compliance with security best practices.
An observed identity skips interactive training modules, demonstrating non-compliance with security best practices.
An observed identity completes collaborative trainings, demonstrating compliance with security best practices.
An observed identity completes collaborative trainings on time, demonstrating compliance with security best practices.
An observed identity fails to complete collaborative trainings, demonstrating non-compliance with security best practices.
An observed identity skips assigned trainings, demonstrating non-compliance with security best practices.
An observed identity reports high confidence in security self assessments.
An observed identity reports low confidence in security self assessments.
An observed identity reports high confidence in phishing-related self assessments.
An observed identity reports low confidence in phishing-related self assessments.
An observed identity reports high confidence in organizational security readiness.
An observed identity reports low confidence in organizational security readiness.
An observed identity completes training consistently over multiple assigned trainings, demonstrating compliance with security best practices.
An observed identity fails phishing-related simulations less frequently over time, demonstrating increasing resilience.
An observed identity reports increased confidence in security self assessments.
An observed identity fails security simulations less frequently over time, demonstrating increasing resilience.
Relevance
This category highlights the effectiveness of awareness programs and helps pinpoint where knowledge gaps remain. It measures user engagement levels and reveals whether training translates into applied vigilance.
Why this matters
Practitioners must care about engagement because awareness programs are only effective if employees internalize and act on them. Measuring participation and retention ensures security education is not just a checkbox exercise but a behavior-shaping initiative.
Consequences of neglect
Failure to address engagement gaps means employees may remain unaware of evolving threats, making the enterprise more susceptible to phishing, social engineering, and compliance failures.