Cybersecurity professionals have never had so many ways to measure the effectiveness of their programs. Checklists and external audits help meet regulatory requirements. Percentage-based metrics slot neatly into dashboards and C-suite presentations. And stoplight graphs offer at-a-glance signals about security posture.

But do all these tools actually make organizations more secure, or do they only mask hidden risks? In many environments, these multiple layers of monitoring, alerting, reporting, auditing and fancy new tools are creating a false sense of confidence.

What’s often missing are the “culture metrics,” those that measure employees’ engagement, cooperation, curiosity and responsiveness. Without these crucial qualitative measurements, even the best-intentioned cybersecurity programs can fail to keep their companies secure.

Above all, however, culture metrics should be all about the people.

The Shortcomings of Traditional Metrics

Checkbox requirements typically run afoul of Goodhart’s Law, which states, “when a metric becomes a target, it ceases to be a good measure.”

Take percentage-based measurements as an example. Patching 99% of all vulnerabilities looks impressive in an IT report or a board presentation. Yet with the rise of automated and AI-driven attacks, even .01 percent can leave a massive security gap. It takes just one well-placed vulnerability or misconfiguration for cybercriminals to wreak havoc on an enterprise.

Another misleading measurement is having an event-free history. It offers no guarantee that a company is safe from future incidents. In fact, for most organizations, the odds of not having a breach are against them.

Misconceptions can create vulnerabilities, too. Some companies believe that they’re too small to be breached or that their data isn’t valuable to hackers. However, automated systems, bots and AI-powered attack tools don’t care about the size of a business or the type of data they store. They only look for vulnerabilities, and when they find one, they’ll strike.

Human Behaviors Make or Break a Program

To understand why “culture metrics” matter just as much as quantitative measurements, let’s examine how bad human behavior compromises security.

From a leadership perspective, executives who don’t believe the rules apply to them often cause far more harm than good. If leaders view fundamentals like complex passwords and multi-factor authentication (MFA) as an inconvenience and develop workarounds, employees will follow their lead. Ironically, leaders who reject MFA due to a sense of entitlement or arrogance often become unwitting victims of the most consequential attacks.

Building such a culture starts at the top of an organization, with leadership consistently showing that cyber and physical security matter to them through their words and actions.

Equally concerning is when CIOs filter or limit data from their security teams. Whether the motivation is self-preservation or the fear that others in the organization aren’t receptive to the raw truth, it’s a conflict of interest that puts the company at considerable risk.

From a staff perspective, each employee’s attitudes toward privacy, intellectual property rights, personal and shared responsibility all influence their cybersecurity behaviors. The growing global culture of instant gratification, access and delivery, coupled with short attention spans, contributes to employee apathy, where anything that takes more than a few seconds or swipes isn’t tolerated.

What’s more, a traditional training-policy-punishment approach to cybersecurity rarely increases an employee’s sense of personal responsibility. If the employee isn’t curious and believes data breaches are insignificant, more training is unlikely to help. I’m reminded of this every time I conduct a post-breach interview and employees tell me, “Security is the company’s job. It’s my job to work around it and get my work done efficiently, regardless of risk.”

From an organizational perspective, companies that try to implement programs without causing inconvenience or investing enough time or money will never achieve a culture of cybersecurity. This type of “security pandering” creates discontent, shadow IT, insecure workarounds, and even direct insubordination.

Building a Culture of Security

Several recent high-profile breaches have shown that attackers can bypass even strong security controls and protocols by tricking helpdesk staff, reinforcing the need for a strong security culture.

Building such a culture starts at the top of an organization, with leadership consistently showing that cyber and physical security matter to them through their words and actions. I strongly recommend that companies weave security into their executive and employee vetting programs as well. If a candidate doesn’t show genuine concern for protecting the company, its clients or its intellectual property, they shouldn’t be hired.

The next step is replacing dry, repetitive training with a more enlightening, empowering approach. Gamification platforms show promise. So do newer AI-powered tools that tailor training to individual employees’ roles and risk levels.

More advanced phishing simulation tools are emerging as well that create realistic attacks and track user behavior. Modern security awareness platforms use that data to score security culture across dimensions, measuring attitudes, behaviors, knowledge and compliance. Other models dive deeper into cognition, sense of ownership and responsibility.

Culture Metrics That Show Real Progress

With strong leadership buy-in and engaging training programs, companies can begin benchmarking their security culture beyond percentages or audits. Tracking training participation rates is one hard-and-fast ROI metric. Others include how often employees proactively ask questions about security policies and whether patterns like repeated test failures stem from individual behavior or systemic problems.

Beyond numbers, companies should keep a pulse on employee behaviors to judge program progress. If employees feel empowered to speak up when they see a suspicious email, ask questions or even joke about thwarting a potential phishing attack, a strong culture likely exists. In contrast, if they fear managers or security teams will view their questions as a waste of time, it’s a sign there’s still work to do.

Measure What Matters Most

The strength of a cybersecurity program goes deeper than numbers on a dashboard or green lights on a colorful chart. It’s revealed in how people behave when something feels off. Organizations that track culture metrics can see their strengths and vulnerabilities and fix them before attackers can exploit them.