Einstein and Security Awareness

Einstein and Security Awareness

Confession: For six years, I told every middle school student who attended my math class that I was dating dear Albert Einstein (aka Albie). It’s true. There he was, the very embodiment of my love of math, immortalized in a 3’ x 5’ poster with his disheveled hair, wide eyes and Gene Simmons-like tongue sticking out, hanging on the back wall. My students thought I was crazy.


What’s not crazy, is how impactful this wonderful math can be when planning, building and running a security awareness training program that engages your end-users and produces the outcomes you are seeking. October is National Cybersecurity Awareness Month (NCSAM) and a great time to take a deeper look at the awareness in your organization. Let’s see how you can use metrics to improve your security awareness training program.


It is all about connecting


Correlations are a topic that you likely learned in middle school, whether you remember it or not. Since it was a while ago, here’s a refresher. A correlation is defined as a mutual relationship or connection between two or more things – where the trend points to a distinct affect one set has on another.


  • Positive Correlation: As one data set increases, the other increases.
  • Negative Correlation: One data set inversely affects the other. This means, as one increases, the other decreases. And vice versa.


See, that was painless, right?


The cybersecurity correlation


As technologies, cyber threats, workforce characteristics and operational landscapes evolve, so must the solutions to address them. As such, security awareness programs should be data-driven. They should be agile, dynamic and undergo on-going analysis to ensure they are purposeful in addressing end-user behaviors and not simply arbitrarily checking a box.


The emergence of actionable insights comes from the analysis of applicable data sets and their correlations. In a security awareness program, applicable data sets may include: survey results, course completions, policy acknowledgments, lunch and learn attendance and incident reporting metrics.


Consider this Scenario:


  1. Through an employee survey, you find that feelings of empowerment at work have a positive correlation to the number of correctly reported phishing simulations.
  2. Through data analysis, you find that as more people report phishing simulations, the number of successful malware incidents decrease.
  3. This would lead us to conclude that positive feelings of empowerment at work lead to fewer malware incidents for the company.
  4. The security awareness program leaders then start working with human resources and people managers on initiatives to increase the positive feelings of empowerment felt by their employees.


Security awareness programs are designed to educate end-users about cyber threats and what to do when they see them. If you’re looking for a real ROI, dive into the data. Allocate resources where your end-users need them. And if anyone questions you, stick out your tongue like my dear Albie and show them the math.

Tiffany leads the Security Awareness Training and Threat Emulation practices at Optiv, overseeing the design and development of engaging and meaningful security awareness programs for customers. For over six years, Tiffany has been developing learning solutions that address the unique challenges of global organizations facing a wide array of cybersecurity risks. She has a background in education and has a Masters in Instructional Design & Technology and has worked in Learning & Development for 12 years.