For years, security leaders have wrestled with a simple but stubborn question: How do we prove the value of security awareness and training (SA&T)? For far too long now, we’ve leaned on vanity metrics, such as training completion rates or phishing click percentages, that we believed reflected the effectiveness of SA&T efforts — but in reality, they reveal little about actual risk reduction.
Today, that changes. Our latest research — Five Steps To Better Human Risk Management Metrics and The Essential List Of Human Risk Management Metrics — provides security leaders with the clarity they need to measure what truly matters. This isn’t just another comprehensive metrics framework — it’s the foundation for turning human risk management (HRM) from a conversation into a movement.
HRM introduces a significant change of mindset, strategy, process, and technology that not only provides the opportunity to answer the question of the value delivered by our training efforts but also enables us to go much deeper.
From Compliance To Culture: The Metrics Journey
Before HRM was even a term, back in 2019, I challenged the reliance on SA&T completion rates and Net Promoter Score℠ (NPS) — which are easy to report but meaningless for risk reduction — and urged leaders to measure behavioral change. This was easier said than done in those days because our collective understanding of behavior was limited, as was the technology.
In 2020, I criticized the tick-and-bash approach of compliance-driven metrics, which consumed resources but missed the point. Up to March 2022, I continued to question the obsession with phishing click rates and better content. When we finally published a report on the future of SA&T, introducing HRM for the first time, we saw a shift — HRM solutions were being used to measure and manage risks posed by or to people, based on actual behaviors. Today’s research announcement is the culmination of that journey, moving from measuring compliance to measuring what truly matters: risk reduction and behavioral change.
What To Measure — And Why
My toughest challenge in this research — and yours — was organizing metrics by altitude (tactical, operational, and strategic) and by indicator type (leading, lagging, or coincident). Thank goodness I had the patience of my colleague Chiara Bragato and the eagle eyes of Jeff Pollard to keep me on track. Once I found the right altitudes, I whittled my list down to the 45 metrics that matter the most. Next, I tackled the challenge of identifying HRM goals that demonstrate ROI, prove effectiveness, and help reduce human risk. I urge you to follow a similar path by:
Aligning every metric to a goal in your security function. This is nonnegotiable, and it’s not just an alignment exercise. Going through this step forces you to really understand the outcome you wish to achieve from your HRM program. Is your goal really to increase the percentage of people who complete training? What will that goal give you? You’ll quickly realize that completion isn’t the goal in and of itself but rather a method to get to a goal of compliance. A better goal would be to improve security behaviors, as this will highlight whether problematic behaviors have changed and if your interventions are working (see the figure below).
Using HRM metrics as the missing link to justify HRM investments. Metrics aren’t just numbers — they’re proof, and they’re the bridge between intent and impact. The right metrics prove ROI and drive executive buy-in. In addition to compliance and risk avoidance, clients I’ve spoken to have had to demonstrate how HRM helps them meet 12 goals, such as:
Improved HRM program management and administration experience. Your team should automate the detection, measurement, and management of cyber-safe behaviors and human risk.
Better security behaviors. You should be measuring and intervening in real time to identify and fix unsafe behaviors.
Reduced security friction and increased workforce productivity. You shouldn’t be training all of your people on security at random times.
Metrics Are The Missing Link: From Early Adopter To Early Majority
Early adopters embraced HRM because they believed in its promise. But to get the majority to adopt HRM, they need proof. The right HRM metrics will accelerate adoption by demonstrating tangible results. It’s hard to reject an HRM investment when you can clearly demonstrate its contribution to overall security and organizational goals. When you can show that targeted interventions cut workforce training time by 40% or reduce breach-related costs by millions, the conversation changes.
Example Metrics That You Should Measure If Your Goal Is To Improve Security Behaviors
Your Next Step
Download the report, as well as the Excel tool containing all 45 metrics, and measure what matters. Forrester clients can schedule a guidance session or inquiry with me. Remeber that, in cybersecurity, the future belongs to those who can demonstrate impact — not just talk about it.
