What is Goodhart's Law?

In the world of business, where numbers often guide decisions, there's a fascinating principle called Goodhart's Law. Coined by British economist Charles Goodhart, this law states: 

"When a measure becomes a target, it ceases to be a good measure."

The importance of setting the right metrics

Imagine that you've set yourself a goal to expand your knowledge on a subject, so you want to read more books. You focus on the actual number of books you read — rather than the amount of knowledge you've gained by reading.  

In this case, the number of books becomes a target, one that may not accurately reflect your progress toward your learning goal. As a result, you may become more focused on reaching the target rather than truly understanding the material.

Similarly, obsessing over specific numbers in business might lead us away from our true goals, which may be goals like enhancing quality or fostering innovation. (It’s like asking if a person is working towards an output or an outcome.)

The image above illustrates Goodhart’s Law: workers who meet quotas versus workers who contribute value.(Image source)

Indeed, Goodhart’s Law can appear anywhere: in governments’ rollout of public health policy, like during the Covid-19 pandemic. In academia, where scholars are routinely told to “publish not perish”: as if publishing academic papers itself were the goal — instead of actually learning something new from strong research. 

This principle rings especially true in business systems and security, emphasizing the importance of balancing metrics against genuine progress. (We’ll look at both areas shortly.)

Goodhart's Law has become especially relevant today when data and metrics are the backbone of decision-making. With increased access to technology and analytical tools, businesses are constantly collecting and analyzing vast amounts of data to inform their strategies. 

However, as Goodhart's Law suggests, using these numbers as targets without considering their context can be misleading (and sometimes dangerous).

The impact of Goodhart's Law on Business Systems

Whether you work in public policy or the wide corporate world, businesses and organizations rely on metrics for decision-making. Collecting and analyzing data helps leaders understand trends, opportunities, and threats. 

But sometimes — when a measure becomes a target — it stops being a good measure. This is precisely when Goodhart's Law enters the conversation. In business systems, the effect of Goodhart’s Law can have a significant impact on:

• Decision-making
• Performance measurement
  

For example, if a company sets sales numbers as the primary measure of success, employees may forget their focus on quality and customer satisfaction, resorting instead to quick wins and unethical tactics to meet those sales targets. 

The effects of this are nearly infinite: these tactics could lead to long-term negative consequences for the organization’s reputation and profitability. Furthermore, when companies focus solely on quantitative metrics, they may overlook other critical aspects of their operations that contribute to overall success.

The essence of Goodhart’s Law in business systems is a reminder that while metrics can guide us, they should not blind us to the broader picture of organizational health and growth.

(Read more about metrics: Security metrics, SRE metrics, DevOps metrics, incident metrics, etc.)

Security metrics & Goodhart’s Law

In the world of cybersecurity, Goodhart’s Law appears through an overemphasis on certain metrics — such as the number of daily security alerts resolved. This shifts your team’s focus: they now focus on lowering the alert numbers and not on the larger goal of understanding underlying security threats.

This is similar to a doctor treating symptoms without diagnosing the disease first. A balanced approach should include both:

1. Tracking alerts quantitatively, and
2. Analyzing the security landscape qualitatively.

This ensures that security measures improve the organization's security posture, not just the perception of it.

How to balance business goals with metrics

The challenge, then, becomes how businesses can effectively balance the use of metrics with the pursuit of holistic goals. 

Include qualitative measures alongside quantitative measures

One approach is to develop a more comprehensive view of performance that includes both quantitative and qualitative measures. This means not only tracking the numbers that point toward success but also understanding the stories behind these numbers. For instance, sales figures may not always accurately capture customer satisfaction. This requires a deeper analysis of areas like:

• Customer feedback

• Product quality

• Service efficiency

Value ethical behavior & long-term outcomes

Additionally, it’s important to foster a culture that values ethical behavior and long-term outcomes over short-term gains. 

Encourage teams to look beyond the numbers, to consider the impact of their actions on all stakeholders. This leads to more sustainable, meaningful success. (Plus, it aligns with the true principle of indicators: that that these should serve as tools for reflection and improvement rather than ends in themselves.)

Mitigate risks of Goodhart’s Law

By integrating these strategies, organizations can mitigate the risks associated with Goodhart's Law. You will be able to create a balanced and nuanced decision-making approach that aligns with your immediate objectives and your long-term vision. 

This not only ensures a healthier organizational culture — it also contributes to more robust and resilient business systems in the face of non-stop change.

How to balance performance & security 

Setting up a balanced approach to performance and security measurement requires a nuanced understanding of:

• The overarching goals 

• The context in which an organization operates

Adopting a multi-dimensional measurement framework can be the key. This involves setting up performance indicators that can tell you about your immediate results as well as your progress on long-term objectives, including sustainability, ethical practices, and customer satisfaction. 

Such a framework encourages looking beyond mere numbers to understand the quality and impact of those numbers.

In terms of security, it is essential to cultivate a culture where security is not just about reacting to threats but preemptively understanding and mitigating them. This can translate to a variety of actions and activities:

• Investing in continuous education about cybersecurity trends.

• Encouraging open dialogue about security issues. 

• Integrating security considerations into all aspects of business operations. 

Ultimately, the goal is to ensure that metrics and measures are used as tools for meaningful improvement, steering clear of the pitfalls warned by Goodhart's Law. Organizations can foster a more sustainable, secure, and successful future by striving for a comprehensive view that values both quantitative data and qualitative insights.

(Organizations, improve your security posture. Product teams, embrace DevSecOps & shift left security.)

Navigating business strategy & security planning through Goodhart’s lens

Goodhart's Law is a reminder of the dangers when placing too much trust in metrics. Instead, businesses need to strike a balance between the precision of quantitative data and the richness of qualitative insights.

What would happen if you set sail across the ocean with only a compass to guide you? Sure, it will point you in the right direction, but it's the skill of reading the sea and the sky that truly guides you to your destination. 

(Image source)

Similarly, in business, while metrics can point towards our goals, it's the understanding of the broader market context, customer needs, and internal capabilities that ensures we reach them effectively.

How to leverage Goodhart's Law for competitive advantage

In order to foster a culture that doesn’t fall into the trap of Goodhart's Law, businesses need to focus on critical thinking and flexibility in their strategy and security planning. Instead of merely setting goals, businesses should also:

• Regularly evaluate the significance of these goals.

• Welcome input from all levels.

• Be open to making changes when necessary. 

It's about building a space where employees feel empowered to think beyond the figures and play a part in the company's strategic objectives with a spirit of ownership and creativity.

Actionable steps for businesses when setting goals

1. Regularly review your strategy. Conduct periodic reviews of business strategies and security plans, ensuring they remain aligned with your overarching goals and can be adapted to new challenges and opportunities.
   
   
2. Use a wide variety of metrics. Use a diverse set of metrics that capture both the efficiency and effectiveness of strategies, ensuring they provide a comprehensive view of performance.
   
   
3. Engage your employees. Engage employees in the goal-setting process, encouraging them to contribute their insights and feedback for more meaningful and achievable targets.
   
   
4. Educate, then train. Invest in education and training to enhance employees' understanding of how their work contributes to broader business goals, fostering a deeper engagement with the company's mission beyond mere numbers.
   

Don’t fall into the trap of Goodhart's Law 

As we continue to navigate the complex landscape of business systems and security, Goodhart's Law is there to remind us of the pitfalls of misplaced focus on metrics. By embracing a balanced approach to measurement, businesses can ensure that their pursuit of numbers enriches rather than detracts from their core objectives.

Let's foster a culture where metrics are a tool for insight and improvement, not an end in themselves. In doing so, we pave the way for a future where businesses thrive on genuine progress and resilience. (How do you do all this? Splunk can help.)