Back to Spotlight

From theoretical to practical: how has a specific company – in this case Yahoo – been able to improve its cybersecurity culture? Are there transferable lessons for other companies?


  • The article argues that “to improve your cybersecurity culture, you must measure what people do when no one is looking”
  • Yahoo has taken a stab at this with an interdisciplinary approach, combining expertise from the ‘red team’ (a group of hackers that test systems), the company’s security awareness team, and the behavioural engineering team that uses HR data and technology logs to measure security behaviour.
  • The objective of the three teams was to change the behaviour of employees. As the teams studied and developed behavioural goals, a formula took shape:

Step 1: Identify the desired behavioural goal

Step 2: Find an appropriate measure and create a baseline

Step 3: Take actions to affect the measured behaviour, adjust those actions over time, and repeat the process

  • The three teams used three overall measures to track their success of their phishing email campaigns
    1. Susceptibility rate: the number of employees who entered credentials on a fake login page divided by the total number of phishing simulations emails sent
    2. Credentials capture rate: the number of employees who entered credentials divided by the number of employees who clicked on the link but did not enter their credentials
    3. Reporting rate: the number of employees who reported the phishing simulations divided by the number of total simulation emails sent


Why does this matter for cybersecurity and businesses?

  • Yahoo’s focus on building cybersecurity culture is in and of itself an important insight for other companies
  • Overall, companies can learn three things from Yahoo
    1. Identify critical employee behaviours
    2. Measure behaviours
    3. Explain why something is important


You can access the full article here