Day 123  習慣形成における「成功」とは何か Measuring Habit Formation

サイバー判断力によるヒューマン・ハードニング

» 2026/02/28

[シリーズ構造] 柱E｜癖にする

習慣の本質は意志ではなく自動性。プレッシャー下でも正しい行動が"自然に出る"状態をつくること。問うべきは完了率ではない。その瞬間に行動は変わったか。負荷の中でも保てたか。観察し、測り、整え、繰り返す。成長は、設計できる。

▶ シリーズ概要： シリーズ全体マップ：人間のしなやかさ ― サイバー判断力のために

▶ 柱E｜習慣と自律 関連記事：

• Day 47 | 良い判断を「癖」にする科学
• Day 48 | 「努力」ではなく「設計」でつくる
• Day 49 | 習慣の神経回路
• Day 50 | サイバーセキュリティにおける「習慣ループ」
• Day 51 | 戦略的に習慣を置き換えるという技
• Day 52 | 「もし〜なら」で動く脳
• Day 53 | 環境を設計する ― 良い習慣を「自然に」定着させる
• Day 54 | 良い習慣は、意志ではなく環境でつくられる
• Day 55 | 人が無理なく動けるセキュリティの構造
• Day 56 | デジタル環境の最適化
• Day 57 | 自動的セキュリティのアーキテクチャ
• Day 58 | 環境デザインの実践
• Day 121 | 測れないものは、育たない。
• Day 122 | 習慣ループ : なぜ測定が重要なのか
• Day 123 | 習慣形成における「成功」とは何か

習慣形成における「成功」とは何か

それは、テストの点数ではない。多くの組織は、いまだに完了率や受講率といった"コンプライアンスの見た目"に安心します。

しかし、セキュリティ啓発プログラムの研究でも示されている通り、 完了率は測りやすい。行動変容は測りにくい。

だからこそ後者が、過小評価される。

けれど、現場のマネージャーが本当に見たいのは、
・インシデント傾向がどう変わったか
・フィッシング対応行動がどう変化したか
・「その瞬間」の判断がどう変わったか

つまり、"行動の証拠"です。

ここが転換点。問うべき問いを変える。

「研修は完了しましたか？」ではなく、

「その瞬間に、人は違う行動をとったか？」
「負荷がかかっても、それは維持されたか？」

セキュリティは知識の問題ではない。瞬間の行動の問題です。

そして行動は、測って、整えて、育てるもの。

成長は、感覚ではなく、設計できる。

ーーー

[Series Structure] Pillar E | The Science of Making Good Judgment a Habit

What we don't measure, we can't grow. Habit strength is not willpower, it's automaticity under pressure. Stop asking about completion. Ask: Did behavior change in the moment--and does it hold under load? Observe. Measure. Adjust. Repeat. Growth is designed.

▶ Series overview: Series Map -- Human Flexibility for Cyber Judgment

▶ Other posts in Pillar E (Habit & Autonomy):

• Day 47 | The Science of Making Good Judgment a Habit
• Day 48 | Habits Are Built Not by Willpower, But by Design
• Day 49 | What Happens Inside the Brain -The Neural Circuits of Habit
• Day 50 | The Habit Loop in Cybersecurity Context
• Day 51 | The Art of Strategic Habit Replacement in Cybersecurity
• Day 52 | The Brain That Moves on "If-Then"
• Day 53 | How to Make Good Habits Stick Naturally
• Day 54 | Good Habits Are Built by Environment, Not Willpower
• Day 55 | The Architecture of Effortless Security
• Day 56 | Digital Environment Optimization
• Day 57 | Environment Design in Practice ①
• Day 58 | Environment Design in Practice ②
• Day 121 | Making Growth Visible
• Day 122 | A Practical Measurement System for Security Habits (3 layers)
• Day 123 | Measuring Habit Formation

Measuring Habit Formation

Layer 3 : Personal Calibration Tracking (judgment quality, not just behavior) - MITRE

Security isn't only "do X." It's "decide well under uncertainty." That's why you also measure calibration:

A) Confidence vs. accuracy (calibration)

Run short simulations (2-5 minutes), then capture:

• confidence (0-100%)
• actual correctness (0/1)
  Over time, you want less overconfidence, faster correct decisions, and clearer uncertainty labeling.

Metacognitive training studies show that feedback on judgment accuracy can reduce systematic underconfidence and improve judgment accuracy (even when behavior choices may still be biased by effort avoidance)

B) Bias recognition improvement

If you want more structured bias measurement, MITRE's Assessment of Biases in Cognition (ABC) is an example of an instrument designed to measure recognition of biases and bias susceptibility using scenario-based tasks under uncertainty and pressure

C) Decision quality enhancement

Define 2-3 "golden decisions" in your environment (e.g., vendor invoice change, OAuth consent prompt, urgent credential reset request). Track:

• false positives (unnecessary escalations)
• false negatives (missed threats)
• time-to-correct-decision

Validation: how to keep your metrics honest (so they don't turn into theater) - NIST

Metrics fail in predictable ways: they get gamed, misunderstood, or detached from decisions. NIST emphasizes documentation (scope, formula, target, data source, responsible parties), data quality/validation, and reporting with context.

Use these four validation checks:

1. Define scope and "opportunity count" (avoid denominator tricks)
   Example: time-to-report only counts events the user could reasonably see.
2. Triangulate (one metric is never enough)
   Pair: reporting rate + time-to-report + true-positive rate.
3. Check data quality
   Are reports consistently logged? Are timestamps comparable? Is "verification" logged reliably?
4. Report with context + action
   Every metric should answer: "So what do we change next week?"

Wrap up:

• Cue: What triggers it? (Example: unexpected login alert)
• Routine: What exactly do you do? (One-click report + short note)
• Reward: What closes the loop? (Confirmation + visible impact: "Thanks--blocked for org")
• Two metrics:
  1 leading indicator (time-to-report)
  1 consistency metric (execution rate across opportunities)

References　出典・参照文献

Chaudhary, S., & Gkioulos, V. (2022). Metrics for the evaluation of a cybersecurity awareness program. Journal of Cybersecurity, 8(1), tyac006. https://doi.org/10.1093/cybsec/tyac006

Engeler, N., & Gilbert, S. J. (2020). The effect of metacognitive training on confidence and strategic reminder setting. PLOS ONE, 15(10), e0240755. https://doi.org/10.1371/journal.pone.0240755

Gardner, B., Lally, P., & Wardle, J. (2012). Making health habitual. British Journal of General Practice, 62(605), 664-666. https://doi.org/10.3399/bjgp12X659466

Gertner, A., Zaromb, F., Schneider, R., Roberts, R. D., & Matthews, G. (2016). The assessment of biases in cognition: Development and evaluation of an assessment instrument for the measurement of cognitive bias (MITRE Technical Report MTR160163). The MITRE Corporation. https://www.mitre.org/sites/default/files/publications/pr-16-0956-the-assessment-of-biases-in-cognition.pdf

Jacobs, J., Haney, J., & Furman, S. M. (2022, August). Measuring the effectiveness of U.S. government security awareness programs: A mixed-methods study (Short paper). In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), 8th Workshop on Security Information Workers (WSIW 2022), Boston, MA, United States. National Institute of Standards and Technology. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934952

Keepnet Labs. (2025, February 14). What is phishing dwell time and quickest response time for security awareness training? https://keepnetlabs.com/blog/what-is-phishing-dwell-time-and-quickest-response-time-for-security-awareness-training

MoniqqueK. (2024, October 14). The Habit Loop Model [Image]. Wikimedia Commons. https://commons.wikimedia.org/wiki/File:The_Habit_Loop_Model.png

Schroeder, K., Trinh, H., & Pillitteri, V. Y. (2024). Measurement guide for information security: Volume 1--Identifying and selecting measures (NIST Special Publication 800-55v1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-55v1

Tenable. (2026, January 27). What is MTTR and how to improve it? https://www.tenable.com/cybersecurity-guide/learn/mean-time-to-remediate-mttr

University College London. (2009, August). How long does it take to form a habit? https://www.ucl.ac.uk/news/2009/aug/how-long-does-it-take-form-habit