Meaningful Metrics: The Case for Switch Cost
Metrics are a touchy subject in human factors. And rightly so - metrics as they are currently implemented pose several issues. They can become reductionist in the sense that they oversimplify complex human behavior, such as only relying on click rates from 3 phishing simulations. They can also take attention from important qualitative aspects of security culture, and encourage people to game the system by adjusting metrics without changing anything of substance. Many who have recognised these (and other) problems also promote the idea that in the current format, it's better to do away with metrics altogether because the cultural and personal impact is doing more harm than good.
Well intended - but there is a better response.
We do not make business decisions without looking at the data - revenue, churn, new customers. We do not base our assessment of marketing campaigns on vibes. We do not guess what to do next - we use data to drive our actions.
Similarly, it is an unrealistic (and dangerous) expectation that actions taken to protect against the leading cause of cybersecurity breaches should not be measured for efficiency. It's not so much about doing away with metrics, it's about developing meaningful ones. We invest so much in cybersecurity, yet do we know what's actually working? Metrics and KPIs are a standard business requirement, and cybersecurity is operating WITHIN business. Not only that, they are pretty essential in telling you what the impact of your interventions are. Security implementations are not binary neutral or good, they can also be damaging. Are you paying to increase your risk? How do you know?
This is our argument - you do need metrics, but you don't necessarily need to track individual behavior - we need to track the environment. Let's look at an example of a meaningful human factor metric that won't damage your culture:
Switch cost, a term used in cognitive psychology, refers to the mental strain and inefficiencies incurred when an individual switches from one task to another. This frequent task-switching required of many cybersecurity practices not only slows down work but also increases the likelihood of people making errors in their primary jobs. In an environment where employees are constantly bombarded with security alerts and demands, this can lead to significant fatigue and reduced productivity.
Understanding and measuring the switch cost in your organization can provide invaluable insights. By quantifying how often employees interrupt their primary tasks to address security issues, you can identify patterns and problem areas where you can remove and reduce inefficiency and cognitive cost to employees. This metric allows you to gauge the true impact of cybersecurity demands on overall operational efficiency.
Managing and where possible, reducing switch cost isn't just about easing the workload or simplifying tasks—it's about strategically enhancing your cybersecurity framework to be less intrusive and more intuitive. Integrating seamless (as possible) security practices that minimize disruption can lead to better compliance, heightened security awareness, and a more resilient organizational culture. You can also demonstrate business value by calculating a simple time/cost saving as your organization becomes more efficient.
Ultimately, by adopting human factors metrics like switch cost, businesses can achieve a more balanced approach to cybersecurity, one that respects the cognitive limits of their employees while fortifying their defenses. It’s time to recognize that understanding the human side of cybersecurity is as crucial as managing any other business risk.
Want access to the latest metrics developed by the praxis security labs team? Sign up for Praxis Navigator today: