You are an IT risk manager at HDA Inc. You've been tasked with evaluating the effectiveness of information security awareness training mandated by management to mitigate the risk linked with credential compromise. What method would be the most effective for assessing the training's effectiveness?