Back to Blog
Board Reporting July 13, 2026 6 min read

The 92% That Wasn't: Why Security Awareness Completion Rates Need Role Weighting

92% completion earned a green indicator in the board deck. Then someone cross-referenced it with HR data, and the story fell apart. The 8% who skipped were clustered in finance and executive assistants — exactly the roles that show up in every BEC post-mortem.

The security awareness completion rate hit 92% last quarter. In the board deck, it earned a green indicator and a satisfied nod. Then someone cross-referenced it with HR data, and the story fell apart in the space of a single pivot table. The 8% who skipped training were not scattered randomly across the org chart. They clustered in two functions that any threat actor would recognize on sight: finance and executive assistants. The number was accurate. The narrative it implied was not.

The Quiet Failure Mode of Single-Tool Reporting

This is the quiet failure mode of single-tool reporting. A learning management system tells you what happened inside the learning management system. It counts completions, tracks due dates, and rolls the totals into a dashboard. What it cannot do is tell you whether the people who completed the training are the people whose completion matters most. Completion, in isolation, is a hygiene metric. Weighted completion, tied to role exposure and blast radius, is a risk metric. The two look identical on a slide and behave nothing alike in reality.

What an 8% Miss Actually Represents

Consider what an 8% miss actually represents when you overlay it on organizational function. Finance owns wire authorization and vendor onboarding. Executive assistants sit on the calendars, inboxes, and travel logistics of the people attackers most want to impersonate. These are the seats that show up first in every business email compromise post-mortem we review. When training gaps concentrate in exactly the roles that face the highest-frequency, highest-consequence social engineering attempts, a headline number of 92% is not a strong signal. It is a comfortable one. Comfort is what the board deck rewards. Comfort is not what the risk register needs.

The Pattern Across Every Single-Control-Plane Metric

The pattern repeats across nearly every security metric that reports upward from a single control plane. Endpoint coverage looks strong until you segment by device class and discover the gaps live on the contractor laptops with the broadest data access. Phishing simulation click rates trend downward until you weight them by the sensitivity of the mailbox that clicked. Patch compliance hits target until you notice the unpatched systems are the ones in the payment path. Averages are generous to whoever presents them. They are not generous to whoever inherits the incident.

The Corrective: What a Defensible Number Requires

The corrective is not more dashboards. It is a shift in what a metric is allowed to claim. A defensible number starts with headcount, role, and exposure, and only then asks what the security tool observed. Completion by department. Completion by privilege tier. Completion weighted by the dollar value or data class each role can touch on a bad day. When we recompute the same 92% with role exposure factored in, we routinely watch the effective figure drop by ten to twenty points. Sometimes the trend line does not just soften. It inverts. Progress on paper becomes regression in practice, and the regression was there the whole time, hidden underneath a well-designed chart.

What the Board Is Actually Testing

Board questions do not test the accuracy of the metric. They test the completeness of the model behind it. When a director asks where the remaining risk sits, the answer that survives is the one that already anticipated the slice. If the presenter has to open a laptop, join two data sources, and rebuild the view live, the credibility of the entire report degrades in real time. The metric that survives scrutiny is the one that was built assuming scrutiny.


That is the work we do at Metric Maestro. We help security leaders build the numbers that hold up when the room gets quiet and the questions get sharper — role-weighted, exposure-adjusted, and joined to the business context that makes them mean something. If your next board deck is coming due, we would rather stress-test it with you now than watch a green indicator get pulled apart in front of an audience. Talk to us.