Security metrics reboot: Less input, better output, real outcomes

Unfortunately, most security awareness professionals don’t really understand the difference between:

✅ Inputs
✅ Outputs
✅ Outcomes

But they don’t want to admit it.

However, if this is you there is no shame in it. It’s not your fault. Maybe it’s never been explained to you. Importantly, it's super easy to fix.

Explaining the difference between inputs, outputs and outcomes. 

The quick and simple way to explain it:

Inputs = What you do (e.g., send security training, send a behavior nudge, run phishing simulations).
Outputs = What happens immediately (e.g., % of employees who complete training, # of employees who open the notification,  % who click a phishing email).
Outcomes = What actually changes (e.g., fewer employees fall for phishing, XYZ specific behaviour changes by 123%, reduced security incidents).

Think of it like fitness:

🏋️ Input: You go to the gym.
📊 Output: You track how many workouts you did.
💪 Outcome: You get stronger and healthier.

In cybersecurity, we need to measure outcomes - not just how busy we are, but what actually reduces risk, increases efficiency, and improves security culture.

What HRM outcomes should you measure?

Every org is different. No one can be prescriptive here. But if you’re not sure where to start, consider these:

1. Fewer security incidents caused by human error

What it means: A drop in security incidents where human mistakes might be the root cause.

How might you measure it:
- Track successful phishing attacks over time - fewer employees falling for scams = progress.
- Compare account takeovers before and after MFA enforcement - a reduction shows improved security habits.
- Log data handling incidents - fewer misdirected emails or exposed data = better risk awareness.

🔹 Example: If your company had 20 successful phishing attacks last year but only 5 this year, that’s a tangible risk reduction.

2. Stronger security culture

What it means: Employees take security seriously and have positive values, attitudes and beliefs as far as security is concerned.

How might you measure it:
- Track security engagement surveys or culture assessments - do employees feel responsible for security?
- Measure participation in security programs - are people contributing to security initiatives and reporting suspicious activity voluntarily?

🔹 Example: If suspicious incident reports increase from 200 to 800 per quarter, that’s a sign employees are more engaged and proactive.

3. Higher compliance with security policies

What it means: Employees actually follow security policies instead of bypassing them.

How might you measure it:
- Track MFA adoption rates - how many employees enable MFA without being forced?
- Monitor password hygiene metrics - are people actually using strong, unique passwords?
- Check secure data handling compliance - fewer unauthorized file shares or misdirected emails = success.

🔹 Example: If 80% of employees reused passwords last year, but now only 20% do, that’s real security improvement.

4. Reduction in phishing-related financial losses

What it means: Phishing attacks have less financial impact on the business.

How might you measure it:
- Count BEC (Business Email Compromise) fraud cases - fewer colleagues tricked into wiring money = better controls.
- Track fraud-related financial losses - compare year-over-year phishing-related costs.
- Measure incident response costs - fewer successful attacks mean lower remediation expenses.

🔹 Example: If phishing-related fraud dropped from $500,000 last year to $50,000 this year, that’s a direct impact on the bottom line.

5. Greater employee confidence in identifying threats

What it means: Employees feel capable of spotting and avoiding cyber threats.

How might you measure it:
- Use pre- and post-training surveys - ask employees how confident they feel about spotting phishing or social engineering.
- Compare reporting behavior trends - do employees report threats more often?

🔹 Example: If before behaviour interventions, only 40% of employees felt confident creating strong passwords, but after security interventions, 85% do, that’s a clear win.

6. Fewer security-related IT helpdesk tickets

What it means: Employees make fewer security mistakes that require IT intervention.

How might you measure it:
- Track password reset requests - fewer resets = employees are managing passwords better.
- Count email security recovery cases - are fewer employees getting locked out due to email security incidents?
- Monitor malware cleanups - better security knowledge should lead to fewer infections.

🔹 Example: If password reset tickets drop by 60%, your password behavior intervention might be working.

7. More employees taking proactive security actions

What it means: Employees don’t just follow security rules - they take initiative.

How might you measure it:
- Count self-reported security improvements - how many employees enable security settings voluntarily?
- Track voluntary security actions - like independent password updates or threat reporting.

🔹 Example: If last year only 5% of employees enabled MFA proactively, but this year 60% do, that’s a real behavioral shift.

8. Less downtime from security incidents

What it means: Employees recover from security issues faster, with minimal business disruption.

How might you measure it:
- Track average recovery time per phishing incident - if employees recover faster, security posture is improving.
- Measure incident resolution time - faster responses = stronger security.

🔹 Example: If average recovery time from phishing drops from 6 hours to 1 hour, that’s a huge efficiency gain.

9. Faster, frictionless security processes

What it means: Security doesn’t slow employees down.

How might you measure it:
- Track login success rates - are employees struggling less with MFA or password resets?
- Measure employee feedback on security tools - are people frustrated, or is security working smoothly?

🔹 Example: If MFA login failures decrease by 50%, security is becoming more user-friendly.

10. Lower training and compliance costs

What it means: Security training becomes more effective and less expensive.

How might you measure it:
- Compare training time per employee - less time, better engagement = success.
- Track cost per completed training session - if automation reduces costs, that’s a win.

🔹 Example: If automated, personalized training cuts costs by 40% while improving engagement, that’s an efficiency boost.

11. Decreased need for manual security interventions

What it means: Security teams rely more on automation, reducing manual workload.

How might you measure it:
- Count manually handled user behavior interventions - if automation takes over, these should drop.
- Track no-code workflow adoption - are security teams using automation for repetitive security awareness/human risk management tasks?

🔹 Example: If a security team previously spent 20 hours a week manually following up on non-compliance, but automation reduces this to 2 hours, that’s a massive efficiency gain.

Why does this matter?

This isn’t an exhaustive list. There’s plenty more where that came from. Check out this comprehensive list of ways human risk professionals demonstrate insane business value - all based on outcomes!

Security awareness professionals often struggle with credibility among security peers. Why? In large part because they track inputs and outputs instead of outcomes.

This is one of the fundamental differences between Human Risk Management (HRM) and traditional security awareness. HRM isn’t just about a different set of inputs - it’s about driving a set of behavioral outcomes that demonstrably manage risk.

But it’s also about capacity creation, efficiency, and cost savings. Because as security teams we’re not just here to stop attacks. We’re here to make security work better for the whole organization. And security that doesn’t work for people, simply doesn’t work.

If you can clearly talk about outcomes (or impact), then you can talk in terms that more clearly convey the value of what you do. If you can’t,... well maybe there’s a bit more work for you to do before you can truly consider yourself genuinely adding business-level value.

Either way, we’re here to help. Let’s talk.

Thanks for reading! 

Was this email forwarded to you? Sign up here. 

Oz Alashe MBE

CEO and Founder,

CybSafe