Powered by

# Goals

Cybersecurity training should produce evidence, not just activity.

The company should be able to show who received training, what they were trained on, when they completed it, which high-risk teams received extra guidance, which exercises were completed, what gaps were found, and what improvements were made afterward.

The goal is not to create paperwork for its own sake. The goal is to prove that education is happening, measure whether it is working, and improve the program over time.

Training evidence and metrics can also support customer questionnaires, audits, insurance applications, compliance reviews, leadership reporting, and post-incident improvement work.

# Step 1: Define What Training Evidence Must Be Kept

The company should decide what records must be retained for cybersecurity training.

Useful evidence includes:

  • Training plan
  • Training materials
  • Employee attendance records
  • Training completion records
  • Quiz results
  • Acknowledgement forms
  • Role-based training records
  • Executive briefing records
  • Phishing simulation results
  • Tabletop exercise records
  • Drill participation records
  • Employee reporting metrics
  • Training reminder records
  • Incident-driven training updates
  • Updated policies or procedures
  • Leadership review notes

Evidence should be organized so it can be found later.

# Step 2: Track Completion for All Employees

Track whether employees complete required training.

The company should record:

  • Employee name
  • Department
  • Role
  • Required training
  • Training assigned date
  • Training completion date
  • Training status
  • Missed training
  • Follow-up required
  • Evidence location
  • Next due date

Core training completion should be reviewed regularly. Employees who miss training should receive follow-up, especially if they work in high-risk roles.

# Step 3: Track Role-Based Training Separately

Role-based training should not be hidden inside general awareness training records.

The company should track which employees received extra training because of their role.

Examples:

  • Finance received payment fraud training.

  • HR received employee data handling training.

  • Executives received impersonation and incident leadership training.

  • IT Administrators received privileged access and evidence handling training.

  • Developers received secure coding and secrets management training.

  • Managers received access approval and reporting culture training.

This helps prove that training is matched to business risk.

# Step 4: Track Simulations, Drills, and Tabletop Exercises

The company should keep records of practical exercises.

Track:

  • Exercise name
  • Scenario tested
  • Date completed
  • Participants
  • Departments involved
  • Facilitator
  • What worked well
  • What did not work well
  • Confusion points
  • Delayed decisions
  • Missed escalation steps
  • Reporting issues
  • Improvement actions
  • Owner
  • Due date
  • Completion status

Exercises are only useful if the company records what was learned and follows up.

# Step 5: Define Useful Training Metrics

Metrics should help the company improve.

Useful metrics include:

  • Training completion rate
  • Training overdue rate
  • Role-based training completion rate
  • New employee onboarding completion rate
  • Quiz pass rate
  • Phishing simulation reporting rate
  • Phishing simulation click rate
  • Repeat click rate
  • Average time to report suspicious emails
  • Number of employee security reports
  • Number of real issues found through employee reporting
  • Number of tabletop exercises completed
  • Number of drill findings
  • Number of open training-related improvement actions
  • Number of overdue improvement actions
  • Departments with repeated training gaps

Metrics should be used carefully. The goal is to improve behavior and controls, not embarrass individuals.

# Step 6: Measure Reporting Quality, Not Just Mistakes

Do not measure only how many employees clicked a simulation.

A healthier metric is whether employees reported suspicious activity quickly.

For phishing simulations, track:

  • Who reported the message
  • How quickly it was reported
  • Whether the report went to the correct channel
  • Whether the security owner received it
  • Whether the reporting process worked
  • Whether employees understood the lesson afterward

A high reporting rate is a good sign. It means employees are paying attention and know what to do.

# Step 7: Review Training Results With Leadership

Leadership should review training results at least once per year.

For higher-risk organizations, review quarterly.

Leadership should see:

  • Training completion
  • Missed training
  • High-risk team training coverage
  • Simulation results
  • Reporting trends
  • Tabletop exercise results
  • Repeated problem areas
  • Training-related incident lessons
  • Open improvement actions
  • Budget or support needed

Leadership should not only ask, “Did people complete training?” They should ask, “Is training reducing business risk?”

# Step 8: Identify Repeated Weaknesses

Training metrics should show where the company needs more help.

Repeated weaknesses may include:

  • Employees do not report suspicious emails.
  • Employees approve unexpected MFA prompts.
  • Finance staff rely too heavily on email for payment changes.
  • Managers do not escalate security concerns quickly.
  • New employees are not trained before receiving access.
  • Staff use unapproved file-sharing tools.
  • Employees do not understand public sharing risk.
  • Developers expose secrets in repositories.
  • IT staff miss backup alerts.
  • Vendors are not included in security reminders.

Repeated weaknesses should lead to targeted training, process changes, or technical controls.

# Step 9: Update Training Based on Evidence

Training should change when the evidence shows a gap.

Examples:

  • If phishing reporting is low, simplify the reporting process and repeat phishing reporting practice.

  • If finance fraud scenarios are missed, refresh payment verification training.

  • If employees approve unexpected MFA prompts, run a short MFA safety reminder.

  • If onboarding training is late, add training to the onboarding checklist.

  • If managers do not escalate issues, create a manager-specific escalation guide.

  • If developers expose secrets, update developer training and add secret scanning.

  • If tabletop exercises show leadership confusion, update the incident escalation process.

Evidence should directly shape the next training cycle.

# Step 10: Track Improvement Actions to Closure

Training-related improvements should be tracked like any other security improvement.

For each action, record:

  • Finding
  • Improvement action
  • Owner
  • Due date
  • Priority
  • Evidence required
  • Completion status
  • Verification method
  • Completion date
  • Review date

Do not mark an improvement complete only because a meeting happened. Mark it complete when the training, process, checklist, tool, or control was actually updated and verified.

# Step 11: Protect Training and Reporting Data

Training records and simulation results can contain sensitive employee information.

The company should protect this information.

Limit access to training records, avoid public leaderboards that shame employees, avoid sharing individual simulation failures widely, and store records in approved systems.

Use individual results for coaching where needed. Use team or department trends for leadership reporting.

# Step 12: Maintain a Continuous Improvement Cycle

Training should follow a simple cycle:

  • Plan training.
  • Deliver training.
  • Track completion.
  • Run simulations and exercises.
  • Measure results.
  • Identify gaps.
  • Update training and controls.
  • Report to leadership.
  • Repeat.

This turns cybersecurity education into an ongoing management process instead of a once-a-year checkbox.

# Training Evidence Register Template

Use a simple register with these fields:

  • Employee name
  • Department
  • Role
  • Training type
  • Training title
  • Required or optional
  • Assigned date
  • Completion date
  • Completion status
  • Quiz or acknowledgement result
  • Role-based training required
  • Evidence location
  • Next due date
  • Follow-up owner
  • Notes

# Metrics Dashboard Template

Track these items:

Total employees Employees assigned training Employees completed training Employees overdue Core training completion rate Role-based training completion rate New employee onboarding completion rate Executive briefing completed Phishing simulation reporting rate Phishing simulation click rate Average reporting time Number of employee reports Number of real issues reported by employees Tabletop exercises completed Drills completed Open improvement actions Overdue improvement actions Training topics updated after incidents

# Leadership Reporting Summary Template

Use a short leadership summary with these fields:

  • Reporting period
  • Training completed
  • Training overdue
  • High-risk teams trained
  • Simulations completed
  • Tabletop exercises completed
  • Key findings
  • Repeated weaknesses
  • Improvements completed
  • Open actions
  • Overdue actions
  • Budget or support needed
  • Next planned training

# Recommended Tools and Solutions

Tool or Resource Link Type Best Use
Baserow Baserow Open-source/commercial Structured training evidence database and action tracker
NocoDB NocoDB Open-source/commercial Database-style training tracker built from spreadsheets or databases
Metabase Metabase Open-source/commercial Dashboards for training metrics, reporting rates, and improvement actions
Apache Superset Apache Superset Open-source Data visualization and dashboards for larger training datasets
Grafana Grafana Open-source/commercial Dashboards for metrics, trends, and operational reporting
Looker Studio Looker Studio Free Google tool Simple dashboards from Google Sheets and other data sources
Power BI Power BI Affordable commercial option Dashboards for Microsoft-based organizations
Gophish Gophish Open-source Phishing simulation metrics and reporting practice
CanIPhish CanIPhish Free tier/commercial Phishing simulations and awareness campaign metrics
Zammad Zammad Open-source/commercial Tracking employee security reports as tickets
osTicket osTicket Open-source/commercial Simple helpdesk tracking for training follow-ups and security reports
GLPI GLPI Open-source/commercial IT service desk, ticketing, assets, and training-related follow-ups
Jira Service Management Jira Service Management Commercial/free tier Tracking security education actions, incidents, and improvement tasks
OpenProject OpenProject Open-source/commercial Improvement action tracking and leadership-visible project status
Kanboard Kanboard Open-source Lightweight improvement action board
BookStack BookStack Open-source Internal security handbook, training evidence references, and procedure pages
Wiki.js Wiki.js Open-source Internal knowledge base for training materials and procedures
Nextcloud Nextcloud Open-source/commercial Controlled storage for training records, evidence, and reports

# Practical Tool Setups

# Very Small Company

Use Google Forms or Microsoft Forms for training confirmation, Google Sheets or Excel for the evidence register, and a shared folder for training records.

# Microsoft 365-Based SME

Use Microsoft Forms, Excel, SharePoint, Teams, Outlook reporting, and Power BI where available.

# Google Workspace-Based SME

Use Google Forms, Google Sheets, Google Drive, Google Groups, and Looker Studio.

# Open-Source Setup

Use Moodle for training, H5P for quizzes, Baserow or NocoDB for the evidence register, Gophish for phishing simulation metrics, BookStack or Wiki.js for documentation, and Metabase or Apache Superset for dashboards.

# More Mature SME

Use an LMS, phishing simulation tool, service desk, dashboard, improvement tracker, and quarterly leadership review. Connect training evidence to incident findings, reporting metrics, tabletop exercises, and the security improvement roadmap.

# Expected Outputs from This Section

At the end of this section, the company should have:

  • Training evidence requirements defined.
  • Core training completion tracked.
  • Role-based training completion tracked.
  • Simulation and exercise results recorded.
  • Training metrics defined.
  • Reporting metrics reviewed.
  • Training gaps identified.
  • Leadership reporting prepared.
  • Training records protected.
  • Training improvement actions tracked.
  • Training updated after incidents, near misses, and repeated weaknesses.
  • A continuous improvement cycle for cybersecurity education.

# Objective

Training is only useful if the company can prove it happened and improve it when results show gaps.

A company should leave this section able to say:

“We know who was trained, what they learned, what evidence exists, what the metrics show, and how the training program will improve next.”

That is training evidence, metrics, and continuous improvement.

© Copyright 2026. All rights reserved.