The genius that is March Madness really boils down to one thing: that damn bracket. People love it. Hell, you can put anything into a bracket and fun ensues.

For example, what if you took all the security threats and tossed 'em into a bracket? What threat do you think would be left standing at the end, victorious over all others? That's exactly what Core Security did. They shared this bracket with their Twitter followers and let them vote over four rounds.

March Madness: Cybersecurity Edition

In the end the battle came down to Phishing vs. Zero Day Attacks. Phishing won.

Not so surprising, really, considering our chat with Proofpoint's Kevin Epstein not long ago -- Everybody Clicks: 95% of Targeted Cyber-Attacks Start with Phishing.

That's been my motto this past month. Everybody clicks. It's what brings us together really. Your mother-in-law or your five-year-old nephew may click more, but we all click, even the best of us. Everybody clicks.

Looking at the bracket, does anything shock you?

Nation-State Actors and Advanced Persistent Threats both got squashed in round one. That's surprising, especially when you factor in the rhetoric from politicians. I would have thought they'd both go far.

"To be honest, I was a bit surprised at the results," said Andrew Rappaport, security & identity management architect at Core Security, via email. "Not Mercer upsetting Duke surprised, but more like Harvard beating Cincinnati surprised."

What stood out to him?

"End-user security awareness lost in the first round. I’m shocked!" Rappaport wrote. "This is especially surprising because phishing, another attack on the user, won the whole thing. Does this imply that the participants believe phishing can be best addressed with technical solutions? I thought end-user security awareness would be a bit higher because educated users can help reduce the downstream risk of a few areas: BYOD and password practices, as well as phishing."

Actually, I think this bracket emphasizes a point I was making in a recent guest blog: it's easy to hold employees up as a scapegoat, but it's also unfair.

Now, let's not take this fun little Twitter exercise too seriously, but it is interesting that phishing is the top concern, yet awareness gets the boot without a second thought. Again, it seems as if we're saying there is this huge massive threat, that employees and end users are the starting point of nearly every attack. But when it comes to training/awareness -- oh, that's not that important.

Are there any matchups above that surprise you? Do you agree phishing is the number one threat, or should it have went to something else?