Outcome-Driven Metrics For Security Awareness Training?
95% of data breaches are caused by human error. Learn how outcome-driven metrics (ODMs) transform your security awareness training by linking human behavior to real risk reduction and business outcomes.
2025-04-13
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
95% of cybersecurity breaches stem from human error (Source). Yet, many organizations still rely on traditional metrics that overlook this critical factor.
Metrics such as the number of firewalls deployed or the frequency of antivirus updates often fail to connect security efforts to actual risk reduction or business outcomes. This disconnect leaves organizations vulnerable to attacks that exploit human weaknesses.
Outcome-Driven Metrics (ODMs) offer a game-changing approach by tying security performance directly to risk reduction and business value.
By focusing on the effectiveness of security controls, ODMs provide actionable insights that help organizations strengthen their defenses where it matters most. In this blog post, we'll explore how Keepnet leverages ODMs to enhance key metrics related to phishing and security awareness training, empowering organizations to build a more resilient security posture.
What are Outcome-Driven Metrics?
Outcome Driven Metrics are performance indicators that measure the results or achievements of a process, rather than focusing on the activities or inputs involved. These metrics evaluate the effectiveness of a strategy or initiative by tracking tangible outcomes, such as increased revenue, improved customer satisfaction, or reduced risks.
Unlike activity-based metrics, ODMs emphasize real-world impact, providing organizations with a clear, actionable view of whether their goals are being met.
They are widely used across fields like business, marketing, project management, and cybersecurity to support data-driven decisions and ensure alignment with strategic objectives.
Unlike traditional cybersecurity metrics—ODMs focus on tangible outcomes that reflect how well security measures protect an organization. Examples include reduced breach incidents, lower phishing click-through rates, or faster response times to threats. This outcome-based approach provides a clearer, more meaningful assessment of an organization’s security posture.
Why Outcome-Driven Metrics Matter
ODMs empower organizations to assess their protection levels, justify cybersecurity investments, and align security strategies with business goals, offering a stark contrast to traditional metrics that can overwhelm with technical detail.
For instance, knowing you have 50 firewalls deployed is less insightful than understanding how many unauthorized access attempts those firewalls prevented. The Mimecast 2025 State of Human Risk Report, cited in Infosecurity Magazine, reveals that 95% of data breaches in 2024 were linked to human error—such as insider threats or phishing missteps.
This statistic highlights the limitations of technical-only metrics and the need for ODMs that address human-related risks, like the percentage of employees completing security training or the rate of reported suspicious emails.
Beyond assessment, ODMs help justify investments by connecting security efforts to business outcomes. The IBM 2024 Cost of a Data Breach Report found that breaches involving human error cost organizations an average of $13.9 million.
By tracking ODMs, such as the average time to detect and contain a breach, organizations can demonstrate how investments in training or tools reduce financial risk.
Additionally, ODMs align cybersecurity with business priorities—focusing on outcomes like operational resilience or customer trust—rather than drowning stakeholders in technical minutiae, as traditional metrics often do.
The Verizon 2024 Data Breach Investigations Report (DBIR) further supports this shift: 68% of global breaches involved non-malicious human actions, such as errors or falling for social engineering. ODMs, such as phishing click-through rates or incident reporting rates, directly tackle these vulnerabilities, making them indispensable for modern cybersecurity.
How to Use Outcome-Driven Metrics
It is possible to manage operational framework using Outcome-Driven Metrics. This empowers CISOs and cybersecurity leaders to make data-driven decisions by assessing the effectiveness of security measures against real-world risks.
Unlike traditional approaches that rely on input-based metrics, this outcome driven metrics emphasizes measurable outcomes, providing organizations with actionable insights to strengthen their cybersecurity posture.
The Three Key Elements in Outcome-Driven Metrics
There are three essential factors, each playing a critical role in the assessment process:
- Tolerances: This enables organizations to define acceptable risk thresholds for each ODM. Companies can set benchmarks—such as very low, low, medium, high, or critical—to establish clear boundaries for risk exposure across different security metrics.
- ODM: A detailed list of metrics spanning various control areas, such as phishing training, endpoint protection, and vulnerability management. Here, users input current performance data to measure how effectively their security controls are performing.
- Threats: This connects cyber threats to relevant ODM categories, offering a holistic view of overall threat exposure based on the strength of existing controls. It highlights areas of vulnerability and helps prioritize mitigation efforts.
How to Use These Factors
Organizations can follow a simple, three-step process as outlined below:
- Set Tolerances: Define acceptable risk levels for each metric in the Tolerances.
- Input Data: Enter current performance data into the ODM tab to evaluate control effectiveness.
- Assess Risks: The tool calculates control levels (ranging from very low to critical) and delivers a clear picture of threat risks in the Threats tab.
See an example table below:
| Tab | Description | Action | Outcomes |
|---|---|---|---|
| Tolerances | A data-entry sheet for defining acceptable control tolerance levels for each ODM. | - Establish the permissible ranges for all relevant control sets. - Users can specify thresholds for ratings from very low up to critical. | - A control score and control level are automatically generated for each ODM, guided by the Control Level chart. - The defined ranges feed into both the ODM and THREATS tabs to inform subsequent calculations. |
| Outcome-Driven Metrics | A compiled list of ODMs, categorized by potential threats they pose to the business. | - Input current numeric values for each control in your organization. - Only replace existing numeric data if necessary. - The control level recalculates based on the new numeric value. | - Each metric reflects either its completion rate or the presence of required documentation. - Depending on entries and the ranges specified in the TOLERANCES tab, each ODM is assigned a rating of very low, low, medium, high, or critical. - The category’s overall control strength is derived from the average of all control scores. - Note: Any critical-rated control in a category automatically makes the entire category critical. |
| Threats | An overview of current cyber threats to the organization, with each threat linked to the relevant categories in the ODM tab. | - Review the aggregate rating for each threat. - Each threat lists the underlying ODM categories contributing to its overall rating. | - Each cyberthreat receives a rating of very low, low, medium, high, or critical based on the control strengths of its associated ODM categories. - The threat’s final score is the average of all relevant ODM category ratings. - Note: If any category is deemed critical, the entire threat rating defaults to critical. - Recommendation: Critical ratings should not be accepted. |
Table 1: Control Evaluation Framework – Mapping Tolerances, Metrics, and Threat Ratings
This streamlined approach helps organizations identify weaknesses, allocate resources efficiently, and align cybersecurity strategies with business objectives.
Outcome-Driven Metrics for Phishing and Security Awareness
Gaps in phishing awareness and preparedness make employees prime targets, turning routine email interactions into potential security disasters. Tracking outcome-driven metrics is important to pinpoint these weaknesses, strengthen defenses, and prevent costly incidents.
These metrics don’t just measure performance—they reveal how well an organization can withstand real-world threats.
Key Outcome-Driven Metrics for Security Awareness
Here’s a breakdown of the essential outcome-driven metrics for phishing susceptibility and security awareness:
Phishing Click-Through Rate
Phishing attacks often succeed because employees don’t recognize the bait. Measuring how often they fall for it in a controlled setting provides a clear window into your organization’s vulnerability—and a starting point for improvement.
- What it measures: The percentage of employees who click on links in simulated phishing emails.
- Why it’s important: A high click-through rate flags a workforce prone to falling for real phishing attacks, every click risks credential theft or malware, so lowering this rate through targeted training is a must.
Percentage of Users Completing Phishing Training
Training is your first line of defense against phishing, but it only works if everyone’s on board. Tracking completion rates shows whether your organization is building the skills it needs to fend off these attacks.
- What it measures: The proportion of employees who’ve completed phishing-specific training in the past 12 months.
- Why it’s important: Training is the backbone of phishing defense. If coverage is spotty, unprotected employees become easy entry points for attackers.
Percentage of Employees Reporting Suspicious Emails
Awareness isn’t just about avoiding mistakes—it’s about taking action. When employees spot and report threats, they become an active part of your security strategy, not just a potential weak point.
- What it measures: The rate at which employees flag potential phishing emails to IT or security teams.
- Why it’s important: A high reporting rate shows employees are alert and engaged, acting as a human firewall to stop attacks early.
Number of Phishing-Related Incidents
Simulations and training are preparation, but this metric reveals what happens in the real world. It’s the ultimate test of whether your efforts are paying off—or where they’re falling short.
- What it measures: The total count of security incidents triggered by phishing over a set period.
- Why it’s important: This metric cuts through the noise—it’s the hard evidence of phishing’s real-world toll, tying awareness gaps to tangible risks.
Percentage of Employees Completing Awareness Training
Phishing is just one piece of the puzzle. Broader security awareness ensures employees can handle a range of threats, creating a culture of vigilance that protects the entire organization.
- What it measures: The share of employees who’ve finished broader security awareness training.
- Why it’s important: Beyond phishing, this training builds a foundation of security know-how, equipping staff to handle diverse threats.
Business Impact
These metrics aren’t just numbers—they drive results that matter to the bottom line:
- Fewer Breaches: Cutting phishing click-through rates and boosting training completion shrink the odds of a successful attack.
- Lower Recovery Costs: Fewer incidents translate to less downtime, cheaper fixes, and less damage to the organization’s reputation.
- Stronger Security Culture: When employees report suspicious emails and embrace training, they become active defenders, not just potential liabilities.
By zeroing in on these metrics, organizations can shift from reactive firefighting to proactive protection, aligning cybersecurity with business success.
How Keepnet Supercharges Your Outcome-Driven Metrics
Keepnet Extended Human Risk Management Platform involves targeted solutions—like phishing simulation and security awareness training —to directly enhance your ODMs.
Designed with the human element in mind, these offerings tackle the root causes of phishing vulnerabilities and awareness gaps, turning data points into real security gains.
Whether you’re aiming to lower phishing click-through rates or boost training completion, Keepnet Labs delivers the precision and impact you need.
Our solutions don’t just check boxes—they drive measurable improvements that strengthen your cybersecurity posture and elevate your ODM scores.
Benchmarking Your Outcome-Driven Metrics
Keepnet provides a cybersecurity assessment template so that organizations can compare their Outcome-Driven Metrics with peer organizations. This benchmarking capability helps you see where you stand and where you need to improve. Are your phishing defenses lagging behind similar-sized firms? Is your training coverage above average? Benchmarking turns raw data into a roadmap, showing you how your security stacks up and spotlighting gaps that could leave you exposed.
- Peer Comparison: By aligning your ODMs—like phishing click-through rates or training completion percentages—with industry peers, you gain a clear picture of your relative strengths and weaknesses.
- Actionable Insights: Knowing you’re below average in reporting suspicious emails, for example, pinpoints a specific area for investment, making your security efforts more strategic.
Keepnet isn’t just a vendor—we’re your partner in mastering these metrics and staying ahead. With Keepnet, benchmarking and continuous improvement aren’t chores—they’re opportunities to sharpen your defenses and stand out in a crowded field. Keepnet can help you create your cybersecurity assessment template and benchmark your outcome-driven metrics.
SHARE ON