Security Awareness Testing Program

The best way to measure the success of a security awareness training program is to test the end users and measure their response.

Measuring the success of a security awareness training program is difficult unless people are tested in real world situations. Through large scale social engineering tests, we can test the effectiveness of a training program on end users ability to identify and respond to a potential threat.


Security Awareness is an extremely important aspect of an information security program. Currently, most hacking attacks focus on the weakest link to security, the user. Through means of social engineering, individuals who are attempting to steal information or gain access to systems use several different techniques and tricks such as email phishing. The strongest defense for the techniques and tricks is an educated user base that can identify such attacks and report them through the proper channels.


SecureState has developed Security Awareness Programs for many clients and is highly skilled at conducting targeted phishing assessments to evaluate the effectiveness of the programs. We frequently conduct these assessments for clients and have a very high success rate of compromise as well as eliciting sensitive or confidential information. SecureState consultants are also frequently asked to speak publically regarding Social Engineering practices; as well as help teach employees how to help prevent themselves from being a victim.

Approach and Methodology

In order to measure the effectiveness of a Security Awareness Program and track metrics/trending throughout the course of a given year, SecureState performs Social Engineering Testing. Social Engineering is a technique that relies on weaknesses in human nature, rather than weaknesses in hardware, software, or network design. Attacks are successful because they target basic human nature. Humans are susceptible to persuasion and manipulation through various methods.

It is not hacking that result in the most damaging penetrations into an enterprise's security system. It often is the work of an employee within the enterprise that causes the most harm. In most of the organizations, security measures are focused on attacks from the outside. The insider threat usually is ignored, although it is an important area of concern. SecureState will use Social Engineering to determine the effectiveness of your Security Policy Procedures (SPP) and the awareness training surrounding these policies.

Depending on the type of Social Engineering test being conducted, SecureState will target specific users/groups and collect data of successful attempts to either have users click on phishing links or provide information. SecureState will collaborate with your organization to determine the composition of users prior to the engagement. We can categorize the user population by department, shift, employee level or geographic area. We then randomly select individuals from each group, with the sample proportional across the demographics chosen. Typically SecureState recommends to not exclude specific user groups or departments, such as executives/maintenance. 

The tracking of results will be done on SecureState’s secure MyState portal. This will allow for the effectiveness of the awareness program to be tracked throughout the year. If results do not improve, changes can be made to the program to increase effectiveness.

SecureState will deliver to your organization a comprehensive report showing screen shots, detailed conversations, names, and links back to the information we found. SecureState also will provide an information linkage diagram (if applicable) showing how your company information is linked together. This will show you visually from a high level the source or sources of the information. Lastly, we will provide a detailed professional analysis of the information found as well as a comprehensive risk rating for your organization. This is determined by considering the sensitivity of the information found as well as how your company rates compared to other similar sized organizations.

Get Started!