Goodhart's Law
"When a measure becomes a target, it ceases to be a good measure" — the trap behind phishing click-rate as a security KPI.
Goodhart’s Law is the principle, popularly stated as “when a measure becomes a target, it ceases to be a good measure”. It comes from British economist Charles Goodhart’s 1975 paper “Problems of Monetary Management: the U.K. Experience”, where he observed that any statistical regularity tended to break down once policymakers started using it as a control variable. The pithier modern phrasing is due to anthropologist Marilyn Strathern (1997), but the underlying mechanism is Goodhart’s.
In cybersecurity the law explains why phishing simulation click-rate, taken alone, is a treacherous KPI. Once teams are graded on it, the metric improves in ways that do not correspond to improved security:
- Employees recognize the vendor’s templates and stop clicking those — but stay just as vulnerable to genuine attacker tradecraft.
- IT marks the security team’s simulation IPs as trusted, so the emails skip the spam filter and look more obvious.
- Managers coach their teams about the upcoming campaign window.
- Simulations get easier over time to keep the metric green.
None of these moves reduce real-world breach risk; all of them improve the reported number. The metric stopped measuring the thing it was meant to measure the moment it became the target.
The Goodhart-resistant approach is to track a basket of behavioral signals that an attacker would need to defeat all of, plus signals that move in opposite directions when someone games one of them:
- Report rate (people flagging the simulation, not just not-clicking it).
- Time-to-report (faster is better; a single power-reporter can warn the SOC before the rest of the company clicks).
- Real-incident behavior — what happens during an actual attempted compromise, not just during simulations.
- Behavioral evidence across SaaS surfaces — public sharing, OAuth grants, MFA dismissals — that cannot be gamed by template recognition.
For a CISO, the practical heuristic is: if one number is going to a board slide, at least three numbers should be feeding it, and at least one of them should resist gaming on the others.
Related terms
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- Behavior baselineThe pre-intervention read of what employees actually do across SaaS, identity and email — the reference any subsequent behavior change is measured against.
- Knowledge-behavior gapThe empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.
- NudgeA small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.