Behavior baseline
The pre-intervention read of what employees actually do across SaaS, identity and email — the reference any subsequent behavior change is measured against.
A behavior baseline is the read of what employees actually do across the digital workplace before any intervention is deployed — the reference frame against which all later behavior change is measured. It is the unsexy, foundational step of Human Risk Management that most legacy programs skip, and the absence of which makes most “the click rate dropped” claims statistically meaningless.
A behavior baseline answers four questions about the workforce as it stands today, before nudges, before training:
- How many risky behaviors per 100 active users per week? Public Drive/SharePoint shares, OAuth grants to unverified apps, MFA push approvals without justification, password reuse hits, dwell time on suspicious emails — the raw rate.
- Where is the risk concentrated? Which teams, departments, roles, or seniority bands carry most of the weight? Sales and Finance typically score differently than Engineering, but the actual shape varies per org.
- How does risk move over the work calendar? Quarter-end, deal close, Friday-afternoon, return-from-vacation — risk is not flat in time, and the baseline catches the rhythm.
- What is the natural reversion rate? Some risky behaviors self-correct (the file gets unshared the next day). The baseline distinguishes self-correction from intervention-driven correction.
A well-built baseline shares a few properties:
- Silent. No nudges fire during the baseline window. Intervening pollutes the reference.
- Long enough to be statistical. 21-30 days is the working minimum to span a full work cycle. Less and you are measuring noise.
- Owner-scoped. Per team, per department — not just one org-wide number.
- Stored as behavioral evidence. Each observation in the baseline is itself an auditable record, not a derived aggregate.
- Re-measured periodically. Behaviors drift with hiring, attrition, tooling changes. A baseline frozen at day zero stops being useful after a year.
Without a baseline, every behavioral KPI is a number without a sign — a 12% click rate could be excellent or catastrophic depending on where the org started. With one, the CISO can answer the executive committee’s hardest question — did the program actually reduce risk? — in the only way that survives an auditor: by referencing the pre-intervention state.
Engarde (engarde.cc) runs the baseline as the first 30 days of every deployment. The platform observes and records, but does not nudge — so that the after has a credible before to compare against.
Related terms
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.
- Knowledge-behavior gapThe empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.
- NudgeA small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.