The Praxis Practice Blog

Insights on security culture, human factors in cybersecurity, and building resilient organizations.

Your SAT Vendor Says Training Works. Can You Prove It?
· Kai Roer

Your SAT Vendor Says Training Works. Can You Prove It?

Completion rates and phishing click rates do not prove behavior changed. Impact Proof tracks what employees actually do before, during, and after any intervention.

Data: the world's best ventriloquist
· Thea Mannix

Data: the world's best ventriloquist

The same dataset can genuinely support different decisions without anyone lying. Why framing matters more than the numbers themselves — and how rotating your perspective is the foundation of trustworthy analytics.

Your Board Does Not Speak Firewall: How to Report Human Security Risk in Their Language
· Kai Roer

Your Board Does Not Speak Firewall: How to Report Human Security Risk in Their Language

Your CFO does not need a firewall log. Your auditor does not need a phishing dashboard. Stakeholder Brief auto-generates reports in each audience's language.

Are You Getting More Secure — Or Just Hoping? How Internal Baselines Replace Industry Guesswork
· Kai Roer

Are You Getting More Secure — Or Just Hoping? How Internal Baselines Replace Industry Guesswork

Generic industry benchmarks do not tell you if your organization is improving. Risk Bearing builds rolling baselines from your own Microsoft 365 data — from day one.

What Are Your Employees Actually Doing? (The Security Data Microsoft 365 Hides in Plain Sight)
· Kai Roer

What Are Your Employees Actually Doing? (The Security Data Microsoft 365 Hides in Plain Sight)

Your Microsoft 365 environment holds months of employee security behavior data you have never seen. Employee Pulse surfaces it in 15 minutes — no setup meetings required.

On Measuring the Unmeasurable
· Thea Mannix

On Measuring the Unmeasurable

Security culture is a theoretical metaphor that we can measure as others.

Meaningful Metrics: The Case for Switch Cost
· Thea Mannix

Meaningful Metrics: The Case for Switch Cost

Resilience in cybersecurity is about meaningful metrics, such as switch cost in cybersecurity.

The Internet is a dark room. Your brain thinks the lights are on.
· Thea Mannix

The Internet is a dark room. Your brain thinks the lights are on.

How can you tell when someone is lying to you? Most of our defenses against social threats are disabled in digital environments. Worse, we don't realize.

Meaningful Baselines for Human Factors: Here's How To Do It
· Kai Roer

Meaningful Baselines for Human Factors: Here's How To Do It

The most important reason for a baseline is to be able to know that what you do is the right thing to do in human risk management cybersecurity.

The Problem with Awareness Training Best Practices - and How We Can Fix It
· Kai Roer

The Problem with Awareness Training Best Practices - and How We Can Fix It

Security awareness training best practices are not working because they provide a one size fits all approach, which is damaging to security culture.