Almost as if reading my mind from the PVC Security Podcast and my review of @InfoSystir post about Security Awareness Education Programs, SANS' "Securing The Human" came out with a post titled "Developer Awareness Training", which also highlights metrics.
Now let's talk about the metrics we can collect to help improve our program.
That simple sentence should be mandatory in any security program.