Unfortunately, most security awareness professionals don’t really understand the difference between:
✅ Inputs
✅ Outputs
✅ Outcomes
But they don’t want to admit it.
And honestly? We get it. It’s like pretending to know the plot of Inception when deep down, you’re just as confused as everyone else. No shame. Maybe it’s never been explained to you properly. Importantly, it’s super easy to fix.
Explaining the difference between inputs, outputs, and outcomes
Here’s the quick and simple way to break it down:
- Inputs = What you do (e.g., send security training, send a behavior nudge, run phishing simulations).
- Outputs = What happens immediately (e.g., % of employees who complete training, # of employees who open the notification, % who click a phishing email).
- Outcomes = What actually changes (e.g., fewer employees fall for phishing, XYZ specific behavior changes, reduced security incidents).
Think of it like fitness:
🏋️ Input: You go to the gym (or at least, you intend to).
📊 Output: You track how many workouts you did (or just wear a Fitbit and let it guilt-trip you).
💪 Outcome: You get stronger and healthier (or just justify an extra cheeseburger).
In cybersecurity, we need to measure outcomes – not just how busy we are, but what actually reduces risk, increases efficiency, and improves security culture. Because let’s be real, no one cares how many phishing simulations you send if attackers are still waltzing in like they own the place.
What HRM outcomes should you measure?
Every org is different and no one can be prescriptive here. But if you’re not sure where to start, consider these:
1. Fewer security incidents tied to human error
- What it means: A drop in security incidents where human mistakes were the root cause.
🔹 Example: If your company had 20 successful phishing attacks last year but only 5 this year, that’s a tangible risk reduction. Fewer “Oops, I clicked the wrong link” moments = progress.
2. Stronger security culture
- What it means: Employees take security seriously and have positive values, attitudes, and beliefs about security.
🔹 Example: If suspicious incident reports increase from 200 to 800 per quarter, that’s a sign employees are more engaged and proactive. Basically, they’ve leveled up from “not quite sure how to respond” to “cybersecurity sidekick.”
3. Higher compliance with security policies
- What it means: Employees actually follow security policies instead of bypassing them like Terms & Conditions pop-ups.
🔹 Example: If 80% of employees reused passwords last year, but now only 20% do, that’s real security improvement. And if you finally convinced people to stop using “Password123,” take a victory lap.
4. Reduction in phishing-related financial losses
- What it means: Phishing attacks have less financial impact on the business.
🔹 Example: If phishing-related fraud dropped from $500,000 last year to $50,000 this year, that’s like finally canceling all your forgotten streaming subscriptions – huge savings.
5. Greater employee confidence in identifying threats
- What it means: Employees feel capable of spotting and avoiding cyber threats.
🔹 Example: If before behavior interventions, only 40% of employees felt confident creating strong passwords, but after security interventions, 85% do, that’s a clear win. Next step: convincing them to stop using their work email address on NSFW websites.
6. Fewer security-related IT helpdesk tickets
- What it means: Employees make fewer security mistakes that require IT intervention.
🔹 Example: If password reset tickets drop by 60%, your password behavior intervention might be working. And your IT team might actually get to drink a coffee while it’s still hot.
7. More employees taking proactive security actions
- What it means: Employees don’t just follow security rules – they take initiative.
🔹 Example: If last year only 5% of employees enabled MFA proactively, but this year 60% do, that’s a real behavioral shift. It’s like seeing people voluntarily put shopping carts back at the supermarket – it restores faith in humanity.
8. Less downtime from security incidents
- What it means: Employees recover from security issues faster, with minimal business disruption.
🔹 Example: If average recovery time from phishing drops from 6 hours to 1 hour, that’s a massive efficiency gain.
9. Faster, frictionless security processes
- What it means: Security doesn’t slow employees down.
🔹 Example: If MFA login failures decrease by 50%, security is becoming more user-friendly. No more “I hate this MFA thing” rants in Slack = progress.
10. Lower training and compliance costs
- What it means: Security training becomes more effective and less expensive.
🔹 Example: If automated, personalized training cuts costs by 40% while improving engagement, that’s an efficiency boost.
11. Decreased need for manual security interventions
- What it means: Security teams rely more on automation, reducing manual workload.
🔹 Example: If a security team previously spent 20 hours a week manually following up on non-compliance, but automation reduces this to 2 hours, that’s a massive efficiency gain. Basically, the difference between hand-washing dishes and owning a dishwasher.
Why does this matter?
This isn’t an exhaustive list. There’s plenty more where that came from. Check out this comprehensive list of ways human risk professionals demonstrate insane business value – all based on outcomes!
Security awareness professionals often struggle with credibility among security peers. Why? Because they track inputs and outputs instead of outcomes.
This is one of the fundamental differences between Human Risk Management (HRM) and traditional security awareness. HRM isn’t just about a different set of inputs – it’s about driving a set of behavioral outcomes that demonstrably manage risk.
But it’s also about capacity creation, efficiency, and cost savings. Because as security teams, we’re not just here to stop attacks – we’re here to make security work better for the whole organization. And security that doesn’t work for people, simply doesn’t work.
If you can talk about outcomes, you can clearly convey the value of what you do. If you can’t… well, maybe there’s a bit more work for you to do before you can truly consider yourself genuinely adding business-level value.
Either way, we’re here to help. Let’s talk.
Find this interesting? I cover more tips like this in our bi-weekly newsletter so sign up here.
