Board-Level Security Awareness Reporting
Quarterly cyber-committee reports that show training as a risk-reduction lever, not a completion checkbox. SEC-aligned narrative, industry benchmark comparison, and a slide template that drops into the board deck.
Why Boards Now Ask About Workforce Security Every Quarter
The SEC cyber disclosure rules adopted in 2023 made board oversight of cybersecurity a regulated topic. Item 106 of Regulation S-K requires registrants to describe board-level cyber expertise, the management process, and material incidents. The cyber committee or audit committee now asks for a quarterly briefing, and security awareness training is one of the few program metrics directors can actually evaluate.
The reporting most security teams produce falls short of what directors want. Completion percentage, by itself, says nothing about whether the workforce is more or less likely to fall for the next phishing or BEC attack. Directors want a risk-reduction story tied to dollar exposure, with comparison to industry peers and a trend line that shows whether the program is working.
RansomLeak runs quarterly board reporting as a structured artifact: a slide template, a narrative tied to specific risk-reduction metrics, an industry benchmark comparison, and a filing-ready summary that maps to SEC 10-K Item 106 and to the standard cyber-committee charter. The same data flows into the risk register and the cyber-insurance renewal package.
How It Works
Pull quarter-over-quarter metrics
Aggregate the four core measures: completion rate, scoring across the catalogue, phishing click rate, and phishing report rate. Each carries a quarter-over-quarter delta, a four-quarter trend line, and a workforce-segment cut (employees, contractors, finance, IT, leadership).
Build the risk-reduction narrative
Translate the metrics into a risk story. A 40 percent drop in click rate plus a 3x rise in report rate translates to a measurable reduction in expected ransomware exposure. Tie the percentage to a dollar figure using a defensible incident-cost benchmark like the IBM Cost of a Data Breach report.
Compare to industry benchmark
Pull the relevant industry benchmark for click rate and report rate (Verizon DBIR, IBM, Proofpoint, Egress, or sector-specific reports). Show whether the workforce is at, above, or below peer median, and how the trajectory tracks against peers.
Drop into the board-ready slide template
Fill in the four-slide template: program overview, quarter results with deltas, benchmark comparison, and forward-looking actions. Each slide is built for a 15 to 20-minute board cyber-committee window with backup detail in the appendix.
File with the risk register and cyber-insurance package
The same quarterly data feeds the enterprise risk register, the cyber-insurance renewal questionnaire, and the SEC 10-K Item 106 narrative. One report rather than three separate exercises.
What You Get
Board-ready slide deck
A four-slide quarterly template tuned for cyber-committee or audit-committee presentation. Director-friendly language, clean visuals, and an appendix for the security-team detail. Drops straight into the board portal.
Quarter-over-quarter trend line
Four quarters of click rate, report rate, completion rate, and scoring on a single chart. Trend matters more than the absolute number, and directors are wired to read trajectories.
Industry benchmark comparison
Peer-median comparison sourced from public benchmarks. The committee sees whether the workforce is leading, tracking, or lagging the industry, which frames the budget conversation more concretely than internal-only metrics.
SEC 10-K Item 106 alignment
The narrative format aligns with Item 106 of Regulation S-K, including the management process and board-oversight language the filing requires. The annual 10-K cyber-disclosure section pulls from the same source data.
Audit-aligned source-of-truth
The same data feeds the ISO 27001 audit, the SOC 2 audit, the cyber-insurance renewal, and the board report. One source-of-truth eliminates the reconciliation work most security teams do four times a year against four different formats.
Featured Exercises for Awareness Reporting
The exercise sequence we recommend for this use case, pulled from the 100+ catalogue.
Phishing Email Detection
Phishing click rate and report rate are the two metrics directors recognize most readily. Phishing exercises drive the headline trend on the quarterly slide.
Read the guideRansomware First-Hour Response
Ransomware is the highest-dollar-exposure incident class on most enterprise risk registers. Coverage of ransomware response correlates directly with the risk-reduction narrative.
Read the guideBusiness Email Compromise
BEC fraud is the single largest category of cyber-loss claims at most cyber insurers. Boards specifically ask about BEC coverage in the post-loss insurance market.
Read the guideWorkforce Security Responsibilities
Establishes the policy-acknowledgment baseline that maps to ISO 27001 A.6.3, SOC 2 CC1.4, and the FTC Safeguards Rule training clause. Directors care about audit alignment.
Read the guideAudit Mindset Basics
Helps the workforce understand why the program tracks engagement and reporting, which feeds the board narrative about a measurable security culture.
Read the guideISMS Policy Awareness
For ISO 27001-certified organizations, ISMS-policy awareness is the workforce-side compliance metric the audit committee tracks alongside the management review.
Read the guideFrequently Asked Questions
What does the board actually want to see in the quarterly cyber report?
How does this support SEC 10-K Item 106 disclosure?
Can we customize the slide template to our board's style?
How do we set the dollar-exposure framing without overstating the risk?
How does this differ from the data we already give the auditors?
Does the report support cyber-insurance renewal conversations?
How do we benchmark against peers without sharing internal data?
References
Primary sources cited above.
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rule, Item 106 of Regulation S-K) — U.S. Securities and Exchange Commission
- Director's Handbook on Cyber-Risk Oversight — National Association of Corporate Directors (NACD)
- Principles for Board Governance of Cyber Risk — World Economic Forum
- Directive (EU) 2022/2555 (NIS2) — Article 20: Governance (management body cybersecurity training and accountability) — EUR-Lex (Official Journal of the European Union)
- NIST Cybersecurity Framework 2.0 — Govern (GV) Function — National Institute of Standards and Technology (NIST)
- Reporting Cybersecurity Risk to the Board of Directors — ISACA
- 2024 Global Digital Trust Insights — Board Oversight of Cyber Risk — PwC
Related Reading
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.