For years, security leaders have wrestled with a simple but stubborn question: How do we prove the value of security awareness & training (SA&T)? For far too long now, we have leaned on vanity metrics — training completion rates, phishing click percentages — that we thought tell us about the effectiveness of SA&T endeavours, but actually tell us little about actual risk reduction.

Today, that changes. Our latest research — Five Steps to Better Human Risk Management Metrics and The Essential List of Human Risk Management Metrics -provides security leaders the clarity they need to measure what truly matters. I see this not as just another comprehensive metrics framework (it is that!) – I also see it as a foundation for turning HRM from a conversation into a movement.

Human risk management (HRM) introduces significant change of mindset, strategy, process, and technology which gives the opportunity to not only answer the question of value delivered by our training efforts, but to go much deeper.

From Compliance to Culture: The Metrics Journey

Before HRM was even a term, in 2019, I challenged the reliance on SA&T completion rates and NPS — which are easy to report but meaningless for risk reduction — and urged leaders to measure behavioral change– easier said than done in those days, because our collective understanding of behavior was limited, as was the technology.

In 2020, I criticized the tick-and-bash approach of compliance-driven metrics, which consumed resources but missed the point, through to March 2022,  where I continued to question the obsession with phishing click rates and better content. When we finally published The Future of SA&T, introducing the term  human risk management for the first time, we saw a shift – HRM solutions were being used to measure and manage risks posed by or to people, based on actual behaviors.  Today’s research announcement is the culmination of that journey: moving from measuring compliance to measuring what truly matters — risk reduction and behavioral change.

What to Measure — and Why

My toughest challenge in this research , and yours, was to organize metrics by altitude — tactical, operational, and strategic — and by indicator type (leading, lagging, coincident). Thank goodness I had the patience of my colleague Chiara Bragato, and the eagle eyes of Jeff Pollard to keep me on track. Once I found the right altitudes, I whittled my list down to the 45 metrics that matter the most. Then, I took on the challenge of determining the HRM goals which will prove ROI, demonstrate effectiveness, and help you reduce human risk. I urge you to follow a similar path by:

  • Aligning every metric to a goal in the security function. This is non-negotiable, and it is not just an alignment exercise. Going through this step forces you to really understand the outcome you wish to achieve from your HRM program. Is your goal really to increase the % of people who complete training? What will that goal give you? You will quickly realise that completion is not the goal in itself, but rather a method to get to a goal of compliance. A better goal would be to improve security behaviors, as this can show if problematic behaviors have changed and whether your interventions are working (see the Figure below).
  • Using HRM metrics as the missing link to justify HRM investments. Metrics aren’t just numbers. They’re proof. They’re the bridge between intent and impact. The right metrics prove ROI and drive executive buy-in. In addition to compliance and risk avoidance, clients I’ve spoken to have had to demonstrate how HRM helps them meet 12 goals including:
    • Improved HRM program management and administration experience – because your team automated the detection, measurement and management of cybersafe behaviors and human risk.
    • Better security behaviors – because you are measuring and intervening in real-time to less safe behaviors.
    • Reduced security friction, and increased workforce productivity – because you are no longer training all of the people on all of the security things at random times.

Metrics Are The Missing Link: From Early Adopter to Early Majority

Early adopters embraced HRM because they believed in its promise. To get the majority to adopt HRM though, they need proof. The right HRM metrics will accelerate adoption by demonstrating tangible results. It is hard to say no to an investment in HRM when you can clearly demonstrate that you’ve contributed to overall security, and organizational goals. When you can show that targeted interventions cut workforce training time by 40%, or reduce breach-related costs by millions, the conversation changes.

Figure 1: Example metrics you should measure if your goal is to improve security behaviors

Your Next Step

Download the how to report, as well as the Excel tool containing all 45 metrics, and  measure what matters.  Forrester clients can schedule a guidance session or inquiry with me.  Because in cybersecurity, the future belongs to those who can prove their impact — not just talk about it.