For a high-impact security awareness program to be effective, you need the ability to measure your awareness program. Security awareness metrics are something I have written about in the past. To help centralize your security awareness metrics planning I have created a metrics checklist. This matrix breaks down awareness metrics into two categories, those that measure the deployment of your program and those that measure the impact of your program. By deployment I mean things like who has taken the training or the different types of materials used, metrics important to auditors. By impact I mean measuring behavior change, metrics important to your security team. I break down these metrics, identify who can measure them, how they can be measured and suggestions for how often. You can download the new metrics checklist as part of the SANS Securing The Human Awareness Deployment Package.
Note: I've also updated the deployment package with a new presentation (including notes) and a README-FIRST document that helps organize all the content. As always, please send any feedback and suggestions to me at firstname.lastname@example.org.