Access Denied
← All frameworks

Strategy

Outcome-based security framework

Focuses on what actually changes when accessibility and security work together. Define success in real terms — not how many people completed training, but whether people can complete tasks securely and independently.

↓ Download as PDFPreview the PDF

Who it's for

Security leaders tired of reporting activity metrics that don't correlate with whether the organisation is safer.

When to use it

When designing a new programme, or when a board member asks the awkward question "yes, but did it work?"

Activity vs outcome

"95% of staff completed phishing training" is an activity metric. "Phishing-related credential theft fell 60%" is an outcome metric. The framework helps you stop reporting the first and start reporting the second.

The outcome categories

  • People outcomes — can the workforce safely do their jobs.
  • Risk outcomes — has the likelihood or impact actually fallen.
  • Trust outcomes — do customers, regulators and staff believe you.
  • Resilience outcomes — when something goes wrong, how quickly do you recover.

In practice

How to run it

  1. 1

    For each major security investment, write the outcome you expect — in one sentence — before the project starts.

  2. 2

    Agree how you will measure that outcome, and who is responsible for the measurement.

  3. 3

    Report against the outcome, not the activity. Replace any metric you can't tie to an outcome.

  4. 4

    Retire programmes that don't move outcomes, even if they look busy.

← Previous

Measure–improve–benchmark framework

Next →

Inclusive awareness framework

Want the full story?

The frameworks are most powerful alongside the case studies, research, and playbooks in the book.

Buy Access Denied →