LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

How do you verify whether an awareness training actually works — and what distinguishes goals from outcomes?

Effective training has goals (why we do it) derived from policies, and measurable outcomes (what participants are enabled to do) — and the KPIs must capture behavior change, not activity.

The structure:

  • Ziele (goals) — why the training exists; usually derived from policies or directives. They determine what the outcome should look like, how content is built, and which methods are used.
  • Ergebnisse (outcomes) — what participants are enabled to do after taking part.

The worked example: goal = reduce the frequency of successful phishing attacks; outcome = end users are able to identify phishing e-mails. Both are measurable, which makes the question "does it work?" answerable.

The KPI warning: "Die Anzahl an simulierten Phishings oder die Teilnahmequote an Trainings sagen noch nichts darüber aus, ob sich das Verhalten auch wirklich zum Besseren ändert." — Activity metrics (mails sent, courses completed) measure effort, not effect. Behavior KPIs: click rates over time, report rates, time-to-report.

Tip: For every KPI ask: "could this number improve while actual behavior stays unchanged?" If yes, it's an activity metric, not a success metric.

From Quiz: ISM / The Human Factor — Security Awareness | Updated: Jun 04, 2026