Subscribe to the Non-Human & AI Identity Journal

How do security and fraud teams know if friction is working?

Friction is working when it reduces abuse without creating avoidable abandonment or customer support burden. The best signal is a balanced view of approval rate, dispute rate, and user drop-off at the control point. If one improves while the others worsen, the control is mispositioned.

Why This Matters for Security Teams

Friction is a control decision, not just a user experience choice. When security or fraud teams add step-up checks, rate limits, device binding, or verification prompts, they are changing attacker cost and legitimate user effort at the same time. The question is whether the control reduces abuse enough to justify any increase in drop-off, manual review, or support contacts. That is why measurement must look at the full path, not a single success metric.

Practitioners often misread a lower fraud rate as success when the real effect is hidden abandonment or channel shift. Current guidance suggests treating friction as an operational control that should be monitored like any other safeguard, with clear evidence of effectiveness, scope, and side effects. Security teams can anchor that mindset in NIST SP 800-53 Rev 5 Security and Privacy Controls, which emphasises control effectiveness and monitoring rather than one-time deployment.

In practice, many security teams encounter the true cost of friction only after legitimate users start failing at the control point, rather than through intentional measurement of abandonment and abuse together.

How It Works in Practice

The simplest way to test friction is to compare outcomes before and after a control is introduced, or to run an A/B or holdout test where feasible. The key is to separate three signals: abuse reduction, legitimate conversion, and operational load. If abuse falls but approvals also fall sharply, the control may be too broad. If approvals stay steady but fraud and dispute rates do not improve, the friction is not targeting the right risk. For identity-heavy flows, this often means watching for where the control sits in the journey, because early friction can suppress attacks but also suppress onboarding.

Security and fraud teams usually combine quantitative and qualitative checks:

  • Approval rate, completion rate, and time to complete the journey
  • Fraud loss, dispute rate, account takeover attempts, or synthetic identity indicators
  • Customer support contacts, failed verification reasons, and manual review volume
  • Repeat attempts from the same device, IP range, account, or session pattern

That operational view aligns well with the detection and response model in CISA guidance on responding to cyber incidents, because friction should be observable, measurable, and adjustable. In fraud operations, the same logic applies to step-up authentication, knowledge checks, velocity limits, and risk-based review queues. The strongest designs are usually risk-based, meaning the control is triggered more often for suspicious conditions and less often for low-risk sessions. Where teams can correlate events, they should also compare friction outcomes with downstream abuse patterns to see whether attackers adapted or simply moved to another path.

These controls tend to break down when the organisation cannot link session-level events to downstream fraud outcomes because attribution becomes too weak to tell whether the friction or the underlying risk model caused the change.

Common Variations and Edge Cases

Tighter friction often increases abandonment and manual workload, requiring organisations to balance abuse prevention against customer experience and support capacity. That tradeoff is especially sharp in high-volume consumer flows, regulated onboarding, and account recovery, where legitimate users are already under time pressure or may be using imperfect devices and networks.

There is no universal standard for the perfect friction threshold. Best practice is evolving toward dynamic decisioning: lighter controls for low-risk activity, stronger controls for anomalous events, and clear fallback paths when a user cannot complete the challenge. For identity and verification use cases, teams should also watch for fairness and accessibility issues, because a control that works for one segment may create disproportionate failure for another. Where the process handles personal data or regulated identity checks, organisations should consider how the control affects consent, auditability, and evidence retention alongside security outcomes.

For deeper control mapping, teams can also reference NIST SP 800-53 Rev 5 Security and Privacy Controls to tie friction to measurable safeguards rather than ad hoc policy. The practical test is not whether friction exists, but whether it improves risk decisions without creating a larger hidden cost elsewhere.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST AI RMF set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Friction should be monitored as a measurable security control in live operations.
NIST SP 800-53 Rev 5 SI-4 Security monitoring supports detecting whether friction is reducing abuse as intended.
NIST SP 800-63 Identity proofing and authentication steps can create friction that must be measured against completion.
PCI DSS v4.0 8.4.2 Step-up controls and authentication friction often appear in payment-risk journeys.
NIST AI RMF Risk management should consider operational impacts of automated or adaptive friction decisions.

Track friction outcomes continuously and compare abuse, abandonment, and support signals after each control change.