Day 5 of 12 days of riskmas (or, if you prefer, risk-mukah or the non-denominational risk-ivus)
The TL;DR
- Behavior change alone doesn’t fully measure human risk reduction
- Time-to-behavior change (TTBC) captures how long exposure lasts
- TTBC mirrors MTTR by focusing on exposure windows, not just outcomes
- Faster action matters more than eventual participation
- Measuring speed shifts security programs from awareness to action
Behavior change is a critical indicator of human risk reduction, but it is incomplete without a companion metric: time-to-behavior change (TTBC). Modeled after mean time to remediation (MTTR), TTBC measures how long it takes for behavior to shift from intent to action. Because behavior change is typically assessed across a population, TTBC should be anchored to a meaningful threshold, such as the time required for 75 percent of a cohort to complete a desired action. Without a time dimension, behavior change becomes a static outcome, obscuring how long systems or data remain exposed to risk.
Conceptually, TTBC is similar to mean time to remediation (MTTR) in security operations. Both metrics focus on reducing exposure windows rather than simply documenting outcomes. TTBC can be expressed as an absolute duration (e.g., 8 days), or as a relative measure when benchmarked against a control group (e.g., 20 percent of the duration of the control group). In either form, the metric provides a clearer signal of how quickly an organization can move from intent to action.
The importance of TTBC lies in its direct connection to real-world risk. Human risk is not defined by whether people eventually do the right thing, but by how long systems, data, and workflows remain vulnerable in the meantime. Each additional day between awareness and action extends the exposure window. Measuring TTBC shifts the focus from engagement metrics to the speed and effectiveness of action.
Consider the scenario from yesterday: a security team asks employees to update their device OS software to reduce exposure to known vulnerabilities—a relevant scenario in a BYOD or mixed environment. The campaign begins with a short briefing video, followed by targeted Slack nudges to those who have not yet acted. By the end of week two, 75 percent of the cohort updated their devices. By week five, participation leveled off at 99 percent. The final outcome matters, but the speed at which the majority acts is what meaningfully reduces risk.
For security leaders, TTBC offers a more operational lens on human risk management. It connects behavioral programs directly to exposure reduction and provides a way to compare interventions based on how quickly they drive action. As organizations mature beyond awareness metrics, time-to-behavior change should become a standard measure of whether human risk programs are actually working.
Up tomorrow: why we segment employee populations into cohorts for more exact targeting and analysis.
