Security Awareness and Phishing Behavior Survey
Measures how well employees recognize threats, follow security policy, and actually behave when something looks suspicious — not just what training they sat through. An AI follow-up interview digs into a real recent moment of hesitation or doubt to surface the gaps that policy audits miss.
Sample questions
A preview of what’s in the template. Every question is editable before you launch.
In the last 12 months, which security awareness training have you completed?
- General security awareness course
- Phishing simulation exercise
- Data handling / privacy training
- Remote work security training
- None that I can recall
How confident are you that you could correctly identify a phishing email if one landed in your inbox today?
In the last 30 days, how often have you encountered an email, text, or message that seemed suspicious?
- Never
- Once
- A few times
- Weekly or more often
Thinking about the most recent suspicious message you saw, what did you actually do?
- Reported it through the official channel
- Deleted or ignored it without reporting
- Clicked a link or opened an attachment before realizing
- Forwarded it to a coworker to check
- Wasn't sure what to do, so did nothing
How much do you agree with each statement about security at your organization?
- I know exactly how to report a suspected phishing attempt
- I would feel comfortable reporting a mistake I made without fear of punishment
- Our security policies are written in a way I can actually understand
- My manager visibly follows good security practices
Which of these security topics would be most and least valuable to cover in future training?
- Spotting phishing emails and texts
- Creating and managing strong passwords
- Securing home and remote work networks
- Recognizing phone-based social engineering
- Physical security (badges, tailgating, visitors)
- Handling sensitive customer or company data
- Safe use of cloud storage and file sharing
- Mobile device and app security
Ask the respondent to walk through the last time they felt even briefly unsure about a message, link, or request — what made it feel off, what they actually did in the moment, and whether they told anyone. If they say they'd always report something, probe for a specific counterexample or reason reporting felt awkward, slow, or pointless. If they can't recall any suspicious moment, ask what would make them notice one.
If you suspected your account had been compromised right now, would you know exactly who to contact?
- Yes, I know exactly who
- I have a rough idea
- No, I would have to search for it
How would you rate the format and length of the security training you've received?
Which best describes your department?
- Engineering / IT
- Sales / Marketing
- Finance / Legal
- Operations / HR
- Customer Support
- Other
- Prefer not to say
How long have you been with the organization?
- Less than 6 months
- 6 months to 2 years
- 2 to 5 years
- More than 5 years
- Prefer not to say
That's everything — thank you. Your answers, along with everyone else's, will be used to shape more relevant, less generic security training and to fix any gaps in how easy it is to report concerns.
What’s included
AI follow-ups
Adaptive probes on open-ended answers that pull out detail a static form would miss.
Attention checks
Built-in safeguards against rushed answers and low-quality respondents.
AI-drafted copy
Wording, ordering, and branching written by the AI — tuned to your research goal.
Auto report
Themes, quotes, and a plain-English summary write themselves once responses come in.
How it compares
We reviewed the closest templates from other survey tools. Here’s what they do well — and where this template goes further.
Why this template
- Includes an AI follow-up interview that asks respondents to walk through a real recent moment of hesitation or doubt, surfacing behavioral gaps that policy audits and static forms miss
- Combines standard awareness questions (training completed, confidence identifying phishing, incident response know-how) with a matrix on agreement about security culture and a max-diff prioritization of future training topics
- Asks what respondents actually did the last time they saw a suspicious message, not just what they were trained on, distinguishing stated policy knowledge from real behavior
- Closes with a transparent chat-based explanation of how responses will be used, and produces an auto-generated report for HR/security teams without manual tallying
Jotform
Security Awareness Survey Form TemplateA fielding-ready static form template covering general security awareness questions, easily customizable within Jotform's form builder. It relies on fixed multiple-choice and rating items rather than any adaptive follow-up. Good for quick deployment but not built to probe individual incidents in depth.
What it does well
- Ready-to-use, fully customizable form builder
- Simple to deploy and embed across channels
- Part of a broad, well-known survey/form ecosystem
Where it falls short
- No adaptive AI follow-up to dig into a specific hesitation or incident
- No automated per-response quality scoring
- No documented methodology or transparent prompt logic
SurveyMonkey
Security Awareness Survey TemplateA standard fielding-ready template of fixed questions on security training and awareness, benefiting from SurveyMonkey's mature survey infrastructure and analytics dashboard. It captures self-reported knowledge and attitudes but not real-time behavioral detail. There is no mechanism to explore a specific recent suspicious-message experience beyond a checkbox answer.
What it does well
- Established survey platform with strong analytics and benchmarking tools
- Easy to launch, distribute, and track responses
- Familiar respondent experience
Where it falls short
- No adaptive AI interview to explore a specific moment of doubt
- No voice-based interview option
- No transparent, per-question methodology disclosure
SurveySparrow
Information Security Risk Assessment QuestionnaireThis is framed more broadly as an organizational risk-assessment questionnaire rather than an employee-behavior/phishing-specific survey, so it's a partial match. It's a fielding-ready static template with SurveySparrow's conversational UI, but questions are fixed rather than adaptive. Best suited to compliance-style risk scoring rather than uncovering individual behavioral gaps.
What it does well
- Conversational, chat-like survey UI improves completion rates
- Positioned for broader risk-assessment/compliance use cases
- Supports standard question branching logic
Where it falls short
- No AI-driven follow-up interview to probe a specific recent incident
- No automated quality scoring of open-ended responses
- Static questionnaire structure, not adaptive to individual answers
Ready to launch?
Open this template in the editor. Every part is yours to change before the first respondent sees it.