Measure whether suspicious requests are stopped before they become authorised actions. Useful indicators include the number of high-risk requests verified out of band, the rate of attempted mailbox delegation blocked, and how often payment changes are challenged before completion. If alerts do not translate into containment, the control stack is only observing risk, not reducing it.
Why This Matters for Security Teams
Measuring social engineering controls is not the same as counting alerts or training completions. The real question is whether suspicious requests are interrupted before they become authorised actions, especially when attackers use mailbox compromise, payment redirection, or help desk impersonation to bypass normal workflows. NIST’s identity guidance in NIST SP 800-63 Digital Identity Guidelines reinforces that identity proofing and authentication are only part of the problem; organisations still need reliable verification steps when requests are out of band or unusually risky. NHIMG research shows the gap can persist even after detection: the Ultimate Guide to NHIs — Standards notes that 91.6% of secrets remain valid five days after notification, which is a reminder that incident response and control enforcement often lag behind compromise. That same pattern appears in social engineering: if a request is recognised as suspicious but still completed, the control failed operationally. In practice, many security teams discover weak verification only after a fraudulent change or delegated access has already been approved.
How It Works in Practice
Effective measurement starts with outcomes, not awareness. A control stack should show whether people and systems stop risky requests at the point of action, and whether that interruption is consistent across email, chat, ticketing, finance, and admin workflows. The most useful metrics are request-centric and decision-centric, not generic training metrics.
- Out-of-band verification rate for high-risk requests, such as payroll changes or mailbox delegation.
- Block rate for attempted privilege escalation, delegation, or policy override.
- Challenge-before-completion rate for payment or vendor-bank changes.
- Time from suspicious request to containment, including cancellation, ticket hold, or supervisor review.
- False positive rate, so teams can see whether controls are creating friction without reducing risk.
A mature measurement model usually combines SIEM events, ticketing records, email security signals, and human review outcomes. NIST SP 800-63 helps anchor the principle that strong identity assurance does not eliminate the need for step-up verification when context changes. For broader identity governance, the Ultimate Guide to NHIs — Standards is useful because it frames verification, revocation, and visibility as operational controls rather than one-time policy statements. Teams should trend these metrics by request type, business unit, and channel, then validate them with tabletop exercises and controlled simulation. These controls tend to break down in highly decentralised environments where approvals happen in ad hoc messaging threads because there is no dependable system of record for the request and the response.
Common Variations and Edge Cases
Tighter verification often increases response time and staff effort, so organisations must balance fraud resistance against business continuity. That tradeoff becomes most visible in finance operations, executive support, and IT service desks, where legitimate urgency is common and attackers exploit pressure.
Best practice is evolving for what to measure when controls span people and automation. In some environments, the most meaningful indicator is not a simple block count but the percentage of risky requests that are diverted into a safer workflow, such as callback verification, approval re-authentication, or hold-and-review. In others, especially where service desks support account recovery, the key signal is whether identity proofing steps are repeatable and auditable under load. Current guidance suggests that organisations should also distinguish between prevention and recovery: a control can be effective if it stops the change, but ineffective if rollback takes days and the attacker keeps trying.
Social engineering control measurement is also harder when multiple channels are involved. Email-only metrics miss attacks that move into collaboration tools, voice, or external supplier communications. For that reason, practitioners often need separate baselines by channel, then a consolidated view of how many suspicious requests were neutralised before authorisation. Where executive exceptions are common, controls may appear to underperform unless exception handling is tracked explicitly and reviewed as part of governance rather than treated as operational noise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Checks whether risky identity actions are verified before execution. |
| NIST CSF 2.0 | DE.CM-1 | Supports monitoring whether suspicious activity is detected and acted on. |
| NIST SP 800-63 | IAL/AAL | Identity assurance matters when requests need step-up verification. |
Measure verification and containment rates to confirm high-risk identity actions are blocked or challenged.
Related resources from NHI Mgmt Group
- How do organisations know whether their IGA programme is actually working?
- How do security teams know whether BEC controls are actually working?
- How should security teams measure whether authentication controls are actually working?
- How should organisations measure whether identity governance is actually working?
