Useful and legitimate metrics have long evaded the information security community as a whole. Without proper metrics, you cannot truly prove the value of a security program. This makes it difficult to justify increasing the budget and even maintaining the budget that you have.
Security awareness is especially vulnerable to criticism of its value. We take for granted all of the times we do not click on a phishing email or exercise good judgment. It is also hard to know all of the incidents that were prevented, because there was no vulnerability to be exploited.
Even with the best awareness program in place, as with all security countermeasures, there will be failures, and it will be easy to point to the cost of the failures. So it is essentially impossible to prove all of the losses your security awareness program prevented and the money that you saved, while the failures make themselves apparent. For that reason, it is important to determine how to measure improvements in security awareness and the savings generated by those improvements.