Activity metrics vs. behavioural evidence — and why only one proves your security works
Completion rates, click rates, hours delivered — they tell you something happened. They don't tell you anything changed. Here's the difference, and why it now decides audits.
What activity metrics measure
Activity metrics count actions: courses completed, phishing-simulation clicks, logins, hours of training delivered. They answer one question — did we do the thing? They're easy to produce and easy to put in a report. What they can't tell you is whether any of it made your people safer.
What behavioural evidence measures
Behavioural evidence measures what people actually do: whether MFA adoption is climbing, whether risky sharing is falling, whether the team that clicked last quarter clicks less this one. It answers the question that matters — did behaviour change? That's the only signal that maps to real risk, and the only one regulators now accept as proof.
Side by side
| Activity metric | Behavioural evidence |
|---|---|
| Training courses completed | Fewer risky actions in the weeks after training |
| Click rate on one phishing simulation | Whether real risky behaviour falls across many |
| Hours of awareness delivered | Whether MFA adoption is actually rising |
| A point-in-time snapshot | A trend you can defend to an auditor |
Why the distinction suddenly matters
NIS2, DORA, and GDPR each now require you to show that your security measures are effective — tested and evaluated over time, not simply in place. Effectiveness is a change in behaviour. Activity describes effort; behavioural evidence describes the outcome. When an auditor asks how you know your programme works, only the second is an answer.
More activity can even hide rising risk
Doing more doesn't guarantee less risk — and can mask the opposite. Peer-reviewed research on 83,269 employees found that when people believed their colleagues were already handling security well, they grew less careful, not more, and that a clearly communicated policy could increase casual link-clicking. If you only track activity, you would never see it happening.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Peer-reviewed field research
When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.
From the same field study of 83,269 employees across 510 organizations.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
What actually counts as evidence
Three things: a baseline of how your people behave today, a trend showing whether it's improving, and a before-and-after around a specific change so you can attribute the movement to what you did. Together they turn "we ran a programme" into "here's what changed."
How Praxis Navigator produces it
Praxis Navigator builds all three from your own Microsoft 365 signal — rolling baselines from day one, behaviour tracked over time, before-and-after comparisons, and stakeholder-ready reports. You connect in 15 minutes and measure whether your measures worked. You run the programme; Praxis proves it.
NIS2 requires you to test whether your awareness and training are effective, and to run a documented process that assesses whether your risk-management measures work. Applies to essential and important entities across 18 sectors.
DORA requires financial entities to monitor the effectiveness of their digital operational resilience strategy, and makes security awareness and resilience training compulsory for every employee and board member. Applies to EU financial entities.
GDPR Article 32 requires a process for regularly testing, assessing and evaluating the effectiveness of your security measures. Applies to any organization processing personal data.