Security leaders struggle to identify and manage meaningful metrics that demonstrate the impact of their human risk management (HRM) program. Instead, they often choose to focus on easy-to-obtain, long-held tactical security awareness, training, and engagement metrics. Identifying meaningful HRM metrics is complicated by the fact that changing behavior and instilling a security culture have been difficult to conceptualize and measure. This report establishes a set of HRM metrics and details a five-step process to operationalize those metrics to improve security culture and demonstrate value.