Stop reporting what already happened and start measuring what's about to
Ant Davis
Leading vs lagging: why your metrics might be answering the wrong question
There's a pattern I see a lot. A practitioner puts together a solid report. Completion rate is up, click rate is down, culture survey is holding steady. And then the response from leadership is something like: so why did we have three incidents last quarter involving human error?
It's a fair question. And the honest answer is usually that the metrics being reported weren't designed to answer it.
That's the leading versus lagging problem, and it's worth understanding properly because it shapes everything about how you measure your programme's effectiveness.
What the terms actually mean
A lagging indicator is a result. Something that already happened. Breach count, incident cost, how many people clicked a live phishing link. You're looking in the rearview mirror.
A leading indicator is a signal. Something that tells you what's likely coming. Reporting rates, culture survey trends, whether specific high-risk groups are changing their behaviour over time.
Both matter. But most awareness programmes I see were built almost entirely on lagging indicators, which means they're permanently in reactive mode. Explaining what went wrong rather than showing what's being prevented.
Why lagging-only measurement causes problems
It's not just that lagging indicators are backwards-looking. It's that they can actively mislead you.
Low click rates feel reassuring, but a workforce that doesn't click and doesn't report isn't necessarily good at spotting phishing. It might just be a workforce that's learned to be paranoid about anything slightly unusual, which is a different thing entirely and not necessarily the outcome you're after.
Lagging metrics also close the feedback loop too late. By the time you're seeing a spike in incidents, the conditions that caused it have been in place for months and the window to intervene has gone.
What good leading indicators look like
Reporting rates are the strongest one. A workforce that flags suspicious emails, unusual requests, or near-misses is a workforce that's engaged and one that gives you early warning rather than post-incident regret.
Near-miss reporting is even better. When people feel safe enough to say "I nearly fell for that," you've got a genuine culture signal. That kind of honesty takes psychological safety to produce, and it's worth more than any click rate.
Culture survey direction matters too. Not the score itself, the direction. Is it moving, and over what timeframe? A score that's been flat for two years tells you something completely different from one that's improved consistently over four surveys.
And then there's high-risk cohort behaviour. If you've identified the roles or teams that carry the most human-related risk, are you actually seeing change in those groups specifically? Organisation-wide averages are comfortable because they hide the parts that actually matter.
How to start building this in
You don't need to overhaul everything at once. Pick one lagging metric you currently report and ask: what would I expect to see move earlier if things were actually improving?
Phishing incident rate is a lagging metric, but reporting rate and simulation improvement in targeted groups are the leading counterparts. Start tracking those alongside each other and you'll have something that tells a more complete story.
Three to five consistently tracked indicators are worth more than twenty numbers that only get looked at when it's time to write a report.
One honest challenge
If your programme has been running for a while and you can't point to a single leading indicator you're tracking, that's worth sitting with for a moment. It probably means you've been measuring what's easy to collect rather than what's useful to know. Most programmes start there. But it's hard to make a credible case for investment when your measurement framework only tells you what already happened.
Start earlier in the signal chain. The story it lets you tell is a much better one.
