End user safety consciousness metering

In addition to the usual electronic phishing tests in email, how can other important performance protection metrics be used to measure end user safety awareness in an organization?

       Looking at the SANS critical security control #9:

9.4 Verify the awareness through periodic testing and see if an employee clicks on a link to suspicious email or provides sensitive information on the phone without verifying the appropriate procedures to verify the caller. Painting education should be provided for the victims of exercise.

I am trying to come up with an indication that I am out of emailing phishing or providing sensitive information about my phone. For example, how do I know that people are aware of the dangers of using infected USB devices in their organizations? Disabling USB prevents security holes, but users are not aware of this issue. Users often see this as an annoying test to stop them from working. USB is just one example. How do I know that users are aware of the danger of sharing user names? And other similar error methods. This is a part of the answer to this topic through surveys, is there any other sign?

________________________________________________