How to measure your security champions programme from baseline to behaviours image

How to measure your security champions programme: from baseline to behaviours

Measuring the success of your cyber security champions programme is a crucial part of the process, in order to track progress, identify areas for improvement, and demonstrate its value to stakeholders. Regular assessments and evaluations can also help identify gaps in training and knowledge sharing, and ensure that your programme remains relevant and effective.

Security baseline

However, before you can measure the effectiveness of your security champions programme, it is important to establish a security baseline to identify the current state of security awareness and behaviours within your organisation. This baseline will serve as a benchmark to measure progress and improvements made by the programme. Gathering this information can be achieved through surveys, assessments, or other forms of data collection. Once the baseline is established, you can set realistic goals and metrics to track the success of your programme and demonstrate its impact on your organisation’s overall security posture. 

You need to find out: 

  1. Your existing security culture. A culture can be defined by what people SAY and DO to demonstrate what’s important to them. Do you have a method for measuring this?
  2. Your existing security competence. This means evaluating your people’s knowledge and competency levels in certain security areas. The resulting information can guide your requirements and areas of focus for your champions programme. You may be able to gather this data from your annual training or security awareness survey.  
  3. Your company culture. Understanding the type of company culture you’re working with will give you clues about how effective a champions programme will be, and what you’ll need to do to get started.

Top tip 

Join the Layer 8 Champions® Hub and take the Layer 8 Champions® self-assessment for free to bring your measurement strategy to life.


Risk mitigating behaviour 

Once you’ve discovered the answers to these questions, you’ll be able to identify the type of security culture that exists within your organisation, the areas of strength across the business, and the areas that your security champions need to work on improving. A key part of this should include identifying risk mitigating behaviours you want your colleagues to adopt. Risk mitigating behaviour is a critical touchpoint where a person interacts with a system or piece of data and their choice in that moment could mean the difference between protecting the business or putting it at risk.  

We recommend running workshops with your champions to identify the priority behaviours that will help you achieve your company security objectives. You want your champions to facilitate conversations around these risk-mitigating behaviours, so you need their buy-in. These behaviours should then permeate all areas of your champions programme to ensure they become ingrained in employees’ mindsets and that they develop the necessary skills to adopt them. It is this behaviour that you need to measure –  after all, the purpose of any security awareness or culture intervention should be to mitigate risk. 

Identify key metrics 

Finally, we get to the measurement bit! The first step in measuring your security champions programme and the behaviour change it fosters, is to identify the key metrics that will be used to evaluate its effectiveness. These metrics should be aligned with the goals and objectives of your programme, and should be specific, measurable, and relevant to your organisation’s security objectives.  

These metrics could include: 

  • Adoption and engagement rates: as well as tracking the number of champions you have, you need to measure their levels of engagement, by monitoring participation rates in programme-related activities.  
  • Results: Track the number of security incidents that are reported by security champions, as well as the speed and effectiveness of the response to these incidents. 
  • Impact on the organisation: assess the number and severity of security incidents before and after the implementation of the programme, as well as the level of employee awareness and understanding of security best practices.  
  • Reaction: collect feedback to identify areas of the programme that are working well, as well as areas that need improvement. This can be done via surveys, workshops or team meetings. 

You can break these metrics down into five domains, as per this graphic, below


The key to the ongoing success and impact of your security programme is the engagement and activity of your champions. To measure this, we recommend introducing a rewards scheme that aligns with your programme’s objectives. This not only recognises and motivates champions but also provides a framework for measuring their activity. There are various approaches to this, depending on your organisation’s culture. For example, leaderboards and competitions may work for some, while others may prefer to focus on rewards and recognition for specific achievements, such as recruitment, behaviour sharing, or levels of activity. It is essential to give everyone the opportunity to be recognised for their contribution towards securing the business.  

Additionally, regularly communicating the success of the programme and the achievements of the champions through internal communication channels, such as newsletters or emails, can help promote engagement and encourage participation from others. The rewards scheme should be regularly reviewed and adjusted to ensure it remains relevant and motivating to champions. 

Maturity framework

The output from measuring your programme can be used to create a report that is regularly shared and discussed with your cyber security team. It can also be presented to the board, providing clear evidence of the progress being made. In addition, the measurements can also help identify where your business stands on the Layer 8 Champions® maturity framework, as illustrated below. The framework outlines five stages of maturity, starting with establishing the programme and progressing towards a fully integrated culture of security. By identifying where your organisation sits on the framework, you can determine the necessary steps to progress to the next level. It also helps in identifying any gaps that may exist in your programme and provides direction for improvements. 

Layer 8 Champions® Maturity Framework

As you can see, there is a lot more to measuring the success of your security champions, than counting the number of champions in your organisation. By carefully considering your objectives, your metrics and your measurement tools you can ensure your programme is effective and remains relevant and aligned with the objectives of your organisation.

For more great advice on establishing, maintaining and measuring your champions programme, join our Layer 8 Champions® Hub.


News & Views

Take a look at some of our other posts