ECC–2:2024 Control 1-10-2 expects organizations to demonstrate that cybersecurity awareness activities are effective — not just delivered — using measurable signals such as surveys, phishing simulation metrics, and continuous improvement loops that are documented and auditable under the Compliance Framework.
What Control 1-10-2 requires and the objective
At its core, Control 1-10-2 requires evidence that awareness efforts change behavior and reduce risk. For compliance teams this means establishing repeatable measurement methods (surveys, simulated phishing, training completion and knowledge tests), defining baseline risk metrics, and using those measurements to drive improvements. The objective is to show measurable decreases in risky behavior (phish click rates, failure rates on knowledge assessments) and increases in defensive behaviors (phish reporting, secure configuration adherence) with documentation suitable for auditors.
Key metrics to collect and how to interpret them
Focus on a small, actionable set of metrics you can reliably collect and defend: simulated phish click rate, phish-reporting (button) rate, training completion and score distribution, pre/post knowledge assessment delta, time-to-remediate after a simulated click, and repeat-offender counts. Map each metric to a risk statement (for example: "high click rate on credential-themed lures increases probability of account compromise") and set target ranges. For many small businesses, an initial phish-click baseline of 10–20% is common; a reasonable compliance-driven target is to reduce that to <5% within 6–12 months while increasing reporting rates.
Phishing simulations — practical implementation details
Implement simulations with a controlled vendor or in-house tooling integrated with your email platform. Technical details to consider: ensure your simulation emails pass SPF/DKIM or are routed internally so they're delivered (or use vendor allowlisting), embed unique tracking tokens in landing URLs, log click events with timestamps and IPs, and funnel reports into a ticketing or SIEM/SOAR workflow via webhook. For a small business (20–100 employees) run baseline campaigns across all staff, then segment by role (finance, IT, HR) for targeted follow-ups. Example: a 40-person firm runs a baseline finance-themed phish and gets 18% click rate; they deliver focused micro-training to finance and rerun a modified campaign after 6 weeks to measure improvement.
Surveys and knowledge assessments — design and analysis
Use surveys to measure awareness, confidence, and self-reported behaviors. Practical approach: run a short anonymous baseline survey (5–8 questions) before training, a post-training survey immediately after, and a follow-up at 90 days. Include objective questions (how to identify a suspicious attachment, steps to report a phish) and Likert-scale confidence items. For small N (e.g., 30–50 employees), use paired analysis where possible (pre/post responses from same users) and report absolute changes and effect sizes rather than relying solely on p-values. Tools: Google Forms/Sheets for lightweight programs, or your LMS for tied completion records; retain response exports as audit evidence in your compliance repository.
Continuous improvement and integration with incident response
Make measurement part of a feedback loop: log simulation outcomes to your incident tracker, escalate clicked-but-reported events to quick remediation paths (password resets, forced MFA re-enrollment), and treat repeat offenders as candidates for one-on-one coaching. Technical integrations help here: connect phishing simulation webhooks to your SIEM or a simple automation (e.g., Zapier) to create tickets in your helpdesk and annotate the employee record. Use cohort analysis (by department, tenure, device type) to prioritize controls — for instance, if remote workers have a higher click rate, mandate an additional micro-module for them and measure impact.
Compliance tips, documentation, and best practices
Document your measurement plan in the Compliance Framework evidence repository: baseline data, campaign design, sample sizes, survey instruments, KPI targets, remediation workflows, and improvement actions. Maintain hashes/exports of campaign logs, LMS completion reports, and anonymized survey results for audit. Limit simulated attachments or macros to avoid triggering security filters and get HR/legal sign-off on privacy and disciplinary policies; include an opt-out for people with documented accessibility needs. Best practices: schedule campaigns unpredictably, rotate themes, include harmless “report-only” decoys to measure reporting behavior, and tie awareness KPIs to risk acceptance decisions in your risk register.
Risks of not implementing this control effectively
Failing to measure and improve awareness leaves the organization blind to persistent human risk drivers: higher likelihood of credential theft, successful phishing-enabled fraud, delayed detection of compromise, and greater insurance or regulatory exposure. For small businesses this can be catastrophic — a single successful credential phish and lateral movement can lead to major financial loss or data exfiltration. From a compliance standpoint, lack of documented measurement and continuous improvement can lead to failed audits, inability to demonstrate due care, and increased scrutiny from regulators or business partners.
In summary, to meet ECC–2:2024 Control 1-10-2 under the Compliance Framework, build a small, defensible measurement program that combines phishing simulations, surveys, knowledge tests, and remediation workflows; instrument those activities with logs and integrations for evidence; and operate a continuous improvement loop that maps metrics to risk reduction. For small businesses, a pragmatic, documented approach (even using low-cost tools) will satisfy auditors and materially reduce human-related cyber risk.
