All quiet? TOO quiet?

Don’t just hoard your feedback and metrics: use them! Squeeze every last drop of value from them!

It is all too easy to down-play or dismiss comments and especially criticisms about the awareness program. Resist your natural defensive tendencies. Collate and take another, dispassionate look at your awareness metrics and the feedback you have received in recent months concerning information security and/or the awareness and training program. Try to identify common threads or themes that might have escaped your attention previously, or that seem to crop up repeatedly.

This kind of review is best conducted as a team exercise, better still if you persuade some of your most vocal/persistent critics to get actively involved (invite them to your review meetings, give them the floor and listen hard to what they have to say!). SWOT analysis and brainstorming techniques can help tease out genuine concerns and novel ways to tackle them. For example, if your budget is a serious constraint on the awareness program, there may be free/cheap alternatives and more efficient and effective ways of using whatever you have. 

Metrics and verbatim comments from your audience demonstrating demand for and appreciation of your awareness and training activities should make your status reports more positive and budget requests more compelling.

If you aren't getting much in the way of feedback, don’t sit on your laurels.  Perhaps the awareness program is going extremely well but are you really doing enough to encourage feedback, or are people too lazy or too intimidated to respond? Consider commissioning an independent third party to conduct an anonymous survey on your behalf, or at least set aside a few minutes every day to call or visit people to find out what they truly think. Write yourself a basic script if it helps e.g. start by asking questions about current or recent awareness topics and activities/events.