You can't measure progress if you don't know where you started
Ant Davis
You can't show progress without a starting point
Here's a problem a lot of awareness practitioners run into. You've been running your programme for a year, maybe two, maybe longer. Maybe you inherited it and it was already in motion. At some point leadership asks whether it's working. And there's a good chance you don't have a great answer.
Not because nothing has changed. But because you didn't record what things looked like before you started.
That's the baseline problem, and it's one of the most common measurement gaps in this field.
What a baseline actually is
A baseline is just a record of where you started. Before a campaign, before a new tool, before a training push. A snapshot of what the data looked like at a specific point in time, before you changed anything.
Without one, you can't demonstrate progress. You can show a number, but you can't show movement. And movement is what makes the case.
The good news is you don't need a perfect measurement framework before you can start. You just need to capture something consistent, at a point in time, that you can compare against later.
What to include
It doesn't have to be complicated. Three to five indicators, recorded consistently, is probably enough to build something useful.
Start with your reporting rate. What percentage of your workforce is reporting suspicious emails or incidents right now? Even an approximate figure pulled from your phishing platform or your IT helpdesk gives you a starting point.
Then look at simulation susceptibility. If you're running phishing simulations, what's the current click rate across your highest-risk populations? Segment it if you can, because an overall average is much less useful than knowing which groups are most vulnerable.
A note on failure rate
This comes up a lot, so it's worth addressing directly. Many organisations track failure rate as their primary simulation metric, the percentage of people who clicked. I did this myself for quite a while and it sounds logical, but it's one of the least useful numbers you can baseline from.
Failure rate measures who got caught. It doesn't tell you whether the programme is building resilience, whether people are developing better instincts over time, or whether the culture around security is shifting in the right direction. Worse, organisations that lead with failure rate tend to create environments where people are afraid to admit mistakes, which is the opposite of the reporting culture you're trying to build.
If you're going to baseline anything from your simulations, baseline your reporting rate. Who flagged it. Who asked questions. Who showed the kind of alertness that actually protects the organisation when a real attack lands. That's the number worth tracking.
