The Praxis Practice Blog

Insights on security culture, human factors in cybersecurity, and building resilient organizations.

Receipts or Results – Part 2: The Wrong Metric for the Right Question
· Thea Mannix

Receipts or Results – Part 2: The Wrong Metric for the Right Question

Satisfaction surveys and post-training snapshots feel like progress but measure the wrong thing. Part 2 of the Receipts or Results series unpacks why culture change demands patience, behavioural signals, and a longer lens.

Receipts or Results – Part 1: The One-to-One Trap
· Thea Mannix

Receipts or Results – Part 1: The One-to-One Trap

Most human risk programmes measure what they put in place, not what it did. This first instalment of the Receipts or Results series examines the one-to-one trap – the assumption that one activity metric maps directly to one outcome – and how to escape it.

Human Risk Management Has a Diagnosis Problem
· Thea Mannix

Human Risk Management Has a Diagnosis Problem

Not every shift in a risk metric is a behaviour problem. Before you blame the driver, check the road. Separating environmental change from behavioural change is where meaningful human risk analysis begins.

Security Lives in the Variance: When Averages Help (and Hurt)
· Thea Mannix

Security Lives in the Variance: When Averages Help (and Hurt)

Designing security programmes for the "average employee" is the cockpit problem of our era. Risk hides in the spread — and only baselines built around your own people can reveal it.

The Visibility Gap: Why IT Leaders Cannot See Human Security Risk (And What to Do About It)
· Kai Roer

The Visibility Gap: Why IT Leaders Cannot See Human Security Risk (And What to Do About It)

The biggest threat to your organization is not malware — it is employee behaviors you cannot see. Here is why the industry has a visibility gap, and how to close it.

Your SAT Vendor Says Training Works. Can You Prove It?
· Kai Roer

Your SAT Vendor Says Training Works. Can You Prove It?

Completion rates and phishing click rates do not prove behavior changed. Impact Proof tracks what employees actually do before, during, and after any intervention.

Data: the world's best ventriloquist
· Thea Mannix

Data: the world's best ventriloquist

The same dataset can genuinely support different decisions without anyone lying. Why framing matters more than the numbers themselves — and how rotating your perspective is the foundation of trustworthy analytics.

Your Board Does Not Speak Firewall: How to Report Human Security Risk in Their Language
· Kai Roer

Your Board Does Not Speak Firewall: How to Report Human Security Risk in Their Language

Your CFO does not need a firewall log. Your auditor does not need a phishing dashboard. Stakeholder Brief auto-generates reports in each audience's language.

Are You Getting More Secure — Or Just Hoping? How Internal Baselines Replace Industry Guesswork
· Kai Roer

Are You Getting More Secure — Or Just Hoping? How Internal Baselines Replace Industry Guesswork

Generic industry benchmarks do not tell you if your organization is improving. Risk Bearing builds rolling baselines from your own Microsoft 365 data — from day one.

What Are Your Employees Actually Doing? (The Security Data Microsoft 365 Hides in Plain Sight)
· Kai Roer

What Are Your Employees Actually Doing? (The Security Data Microsoft 365 Hides in Plain Sight)

Your Microsoft 365 environment holds months of employee security behavior data you have never seen. Employee Pulse surfaces it in 15 minutes — no setup meetings required.