0. Security Scope Note

This entry is conceptual and systems-oriented.

It does not treat all security metrics, dashboards, scores, compliance measurements, vulnerability counts, risk ratings, maturity models, incident statistics, key performance indicators, benchmarks, or audit grades as inherently failed.

Security needs measurement.

Security metrics may be valid when they are:

• threat-coupled
• outcome-tested
• auditable
• bounded
• contextual
• adversarially reviewed
• resistant to gaming
• paired with qualitative evidence
• linked to exposure reduction
• linked to boundary integrity
• checked against affected-state burden
• prevented from total authority
• corrected when behavior changes
• interpreted as indicators, not security itself
• subordinate to real protective function

The failure begins when the metric becomes the target.

A valid security metric helps reveal security state.

A failed security metric begins controlling what security is allowed to mean.

Metric Capture / Reward-Hacked Security occurs when security systems optimize their scores, dashboards, ratings, or compliance evidence while real protection stagnates, degrades, or becomes harder to see.

The problem is not measurement.

The problem is security being optimized for measured posture instead of real exposure reduction.

1. Definition

Metric Capture / Reward-Hacked Security occurs when security metrics, compliance scores, risk ratings, maturity models, incident counts, detection statistics, vulnerability dashboards, audit grades, or safety benchmarks become optimized as targets, causing the security system to improve measured posture while real exposure, boundary integrity, threat response, auditability, or affected-state protection degrades.

The captured metric may include:

• compliance score
• audit grade
• risk score
• maturity rating
• vulnerability count
• patch completion rate
• mean time to detect
• mean time to respond
• incident count
• alert closure rate
• training completion rate
• phishing-test score
• endpoint coverage percentage
• log ingestion volume
• control coverage score
• policy acknowledgment rate
• vendor risk rating
• penetration test finding count
• red-team severity count
• security benchmark score
• model safety score
• abuse report closure rate
• moderation accuracy metric
• privacy compliance metric
• AI guardrail pass rate

The capture may occur through:

• metric gaming
• risk reclassification
• severity downgrading
• alert closure without resolution
• ticket splitting or merging
• benchmark overfitting
• compliance checklist optimization
• suppressing reports
• reducing detection sensitivity
• hiding unmeasured exposure
• scoring only easy controls
• narrowing audit scope
• redefining incidents
• optimizing false positives at cost of false negatives
• prioritizing dashboard color over threat reduction
• rewarding speed over accuracy
• rewarding low incident count over truthful reporting
• punishing teams for finding problems
• treating accepted risk as solved risk

The core failure is:

security metric is installed
→ metric is tied to reward, authority, audit, or optics
→ behavior adapts to improve the metric
→ measurement shapes reporting and action
→ metric improves
→ real exposure remains or grows
→ hidden security debt accumulates

Metric Capture / Reward-Hacked Security is not merely imperfect measurement.

It is security being reorganized around the reward structure of the metric.

2. Core Pattern

The core pattern is:

1. A security metric is chosen to make risk visible.
2. The metric becomes tied to evaluation, funding, authority, compliance, reputation, or survival.
3. Teams learn what improves the metric.
4. Security work shifts toward metric improvement.
5. Unmeasured risks receive less attention.
6. Reporting adapts to maintain favorable posture.
7. Adversarial or inconvenient evidence is softened, scoped down, or delayed.
8. Dashboards improve.
9. Real exposure does not improve proportionally.
10. Boundary integrity, detection quality, or remediation reality diverges from the metric.
11. The metric gains authority because it shows progress.
12. Security coherence declines beneath measured success.

A healthy system says:

metrics are instruments and must be audited against actual exposure

A metric-captured system says:

the score improved, therefore security improved

Metric Capture often appears disciplined.

The team becomes data-driven.

Reports become clean.

Scores rise.

Compliance improves.

Tickets close.

Risk charts trend downward.

But the system may be learning how to look secure rather than how to become secure.

3. Failure Signature

Typical signature:

metric authority↑
security score↑
metric optimization↑
threat-metric coupling↓
reporting distortion↑
exposure reduction uncertain
boundary integrity uncertain
unmeasured risk↑
hidden security debt↑
O↓

Extended signature:

score improves,
risk persists

tickets close,
exposure remains

alerts drop,
detection weakens

audit passes,
boundaries leak

findings shrink,
truth narrows

dashboard greens,
security hollows

Common verbal signatures include:

the score is improving
we reduced critical findings
we closed the tickets
we passed the benchmark
our incident count is down
training completion is at 100%
the dashboard is green
we met the SLA
risk has been accepted
the metric shows maturity
we improved coverage
we are compliant

Common system signatures include:

a vulnerability program downgrades severity to reduce critical counts
a security team closes alerts quickly while root causes remain unresolved
a compliance program improves scores while boundary integrity remains weak
a phishing program optimizes test success without improving real behavior
an AI safety benchmark is optimized while real-world misuse or redress failures persist
a platform lowers abuse statistics by narrowing report categories
a risk register marks risk accepted so dashboards improve without mitigation
a detection team reduces noise by suppressing signals that contained rare critical alerts

The defining condition is not that metrics are used.

The defining condition is that metric improvement becomes separable from real security improvement.

4. Primary U-Layer Origin

Common origin layers:

• U1 — Power / Budgets: funding, status, audit success, vendor approval, leadership confidence, or liability protection depends on metric performance.
• U2 — Configuration / Boundaries: metric boundaries omit important security domains or affected states.
• U3 — Execution / Runtime: security operations prioritize metric movement over protective work.
• U4 — Information / Truth: scores, dashboards, and ratings replace threat-bearing reality.
• U5 — Coordination / Time: short-term reporting cycles overpower long-term remediation.
• U6 — Coherence Field: security meaning becomes tied to visible posture and scores.
• U7 — Memory / Recurrence: historical metric improvement becomes proof of security maturity.
• U8 — Environment / Field: regulators, buyers, insurers, executives, or markets reward metric posture over tested protection.

Common manifestation layers:

• U1 — Resources: resources flow toward metric-visible work.
• U3 — Execution: teams optimize the score.
• U4 — Truth: dashboards become security reality.
• U5 — Time: remediation is deferred behind reporting targets.
• U6 — Field: trust becomes score-dependent.
• U7 — Memory: metric history hides unresolved debt.

Metric Capture / Reward-Hacked Security is primarily a G / Γ / Ψ / Au failure.

Reward pressure and selection reshape the observation layer until the system sees security through the metric.

5. Typical Development Sequence

A common development sequence is:

1. Security leadership, compliance, auditors, or customers demand measurable posture.
2. Metrics are selected.
3. Metrics become targets.
4. Targets are tied to accountability, budget, vendor approval, or reputation.
5. Security teams adapt behavior to improve the targets.
6. Reports become cleaner.
7. Unmeasured risks are deprioritized.
8. Findings are reclassified, scoped down, or closed.
9. Real exposure becomes harder to see.
10. The score improves.
11. The improved score justifies more reliance on the metric.
12. Security theater increases.
13. Hidden security debt accumulates.
14. A real event exposes the gap between posture and protection.

The loop often looks like:

metric → target → reward pressure → behavior adaptation → score improvement → metric authority

Another common loop is:

finding worsens score → finding reframed → score protected → exposure remains

Metric Capture becomes durable when discovering or reporting real security problems becomes punished by the metric system.

6. Diagnostic Markers

Diagnostic markers include:

• Security scores improve while incidents, near misses, or affected burden persist.
• Teams are rewarded for fewer findings rather than better discovery.
• Severity classification changes after reporting pressure.
• Closed tickets reopen or recur.
• Risk acceptance increases near reporting deadlines.
• Metrics focus on count, age, or closure rather than root remediation.
• Detection rates improve while false negatives are not measured.
• Audit scope excludes hard-to-measure systems.
• Dashboards cannot show unknown risk.
• Security work is selected based on score impact.
• Teams avoid finding issues because findings hurt posture.
• Compliance evidence is easier to produce than security effect.
• Metrics cannot explain actual exposure.
• Red-team findings contradict official maturity scores.
• Security language becomes metric language.

Useful diagnostics:

• Security Metric Integrity: Tests whether metrics still represent protective function.
• Metric-Reality Divergence: Measures gap between score and actual security state.
• Threat-Metric Coupling: Tests whether metrics map to live threat models.
• Goodhart Risk: Measures likelihood of proxy becoming target.
• Measurement Back-Action: Detects whether measurement alters behavior in harmful ways.
• Exposure Reduction: Measures actual reduction in exploitable risk.
• Detection Signal Quality: Tests whether metrics preserve critical signal.
• Reporting Distortion: Detects score-shaped evidence and language.
• Compliance Substitution Pressure: Measures replacement of protection by compliance artifacts.
• Hidden Security Debt: Tracks unresolved risk beneath metric success.

7. Related Gates

Relevant gates include:

• Security Metric Integrity Gate: Fails when metrics no longer represent real protection.
• Threat-Metric Coupling Gate: Fails when metrics detach from threat reality.
• Goodhart Risk Gate: Fails when metric optimization replaces security.
• Measurement Back-Action Gate: Fails when measurement distorts security behavior.
• Exposure Reduction Gate: Fails when score improvement does not reduce real exposure.
• Detection Signal Gate: Fails when metrics degrade signal quality or hide false negatives.
• Reporting Integrity Gate: Fails when reports bend around targets.
• Compliance Substitution Gate: Fails when compliance scores replace protection.
• Boundary Integrity Gate: Fails when measured controls do not preserve boundaries.
• Auditability Gate: Fails when metric claims cannot be inspected against evidence.

The first common gate failure is usually the Goodhart Risk Gate.

Once the metric becomes the target, the security system starts optimizing the representation rather than the protected reality.

8. Related Operators

Relevant operators include:

• G — Gain: Primary operator; rewards metric performance.
• Γ — Selection: Selects actions, reports, and findings that improve the score.
• Ψ — Observation / Interface: Displays security through dashboards, ratings, and metrics.
• Au — Auditability: Determines whether metric claims can be checked against real evidence.
• O — Coherence: Declines when measured posture diverges from security reality.
• BΣ — Boundary Integrity: Determines whether real boundaries hold despite metric claims.
• H — Hidden Debt: Accumulates as unmeasured vulnerabilities, exposure, and affected-state burden.
• K — Constraint / Load: Rises when teams must satisfy metric targets despite complex risk.
• M — Meaning: Security meaning narrows around scores and KPIs.
• Φ — Flow / Resource Movement: Routes resources toward score-visible work.
• R — Restoration Capacity: Needed to remediate real exposure and hidden debt.
• D — Damping: Slows runaway optimization and preserves context.
• Τ — Trajectory / Time: Tracks metric drift and delayed exposure.
• Λ — Compatibility: Tests whether metrics fit the domain they govern.

Common operator pattern:

G rewards metric improvement
Γ selects score-friendly work
Ψ displays improved posture
Au fails to test exposure
BΣ remains weak
H accumulates
M narrows
O declines

The core operator inversion is:

security score improved → security improved

instead of:

metric improvement + threat coupling + exposure reduction + boundary integrity + auditability → possible security improvement

Metric Capture / Reward-Hacked Security turns security measurement into a substitute object of protection.

9. Related Laws and Invariants

Related Laws

• Security Metrics Must Remain Threat-Coupled: metrics must map to real threat paths.
• Metrics Must Not Replace Exposure Reduction: score improvement cannot substitute for protection.
• Security Scores Must Not Become Security: security is not the dashboard.
• Risk Ratings Must Remain Reality-Bound: ratings must be corrected by observed exposure.
• Measurement Must Not Rewrite Security Behavior: measurement must not select against detection, disclosure, or repair.
• Detection Metrics Must Preserve Signal Quality: lower alert count is not protection if critical signals vanish.
• Compliance Scores Must Remain Subordinate to Protection: compliance can support security but cannot replace it.
• Reward Structures Must Not Select Against Security: incentives must not punish truth discovery.
• Goodhart Collapse: proxies fail when optimized as targets.
• Measurement Back-Action: measurement can alter the measured system.
• Success Proxy Substitution: indicators can replace success.
• Security Theater: visible posture can replace protective function.

Related Invariants

• Security Metrics Must Be Audited Against Real Exposure: measured posture must be checked against risk.
• Measured Improvement Must Map to Protective Improvement: score gains require effect validation.
• Metric Optimization Must Preserve Boundary Integrity: optimization must not weaken boundaries.
• Risk Scores Must Remain Correctable: ratings must change when reality contradicts them.
• Detection Metrics Must Preserve Critical Signal: metrics must not hide rare high-impact signals.
• Compliance Evidence Must Not Become Final Security State: artifacts are not security.
• Metric Incentives Must Not Suppress Reporting: findings must not be punished.
• Security Outcomes Must Remain Affected-State-Aware: metrics must not hide user or affected-node burden.

10. Common False Positives

Not every security metric program is Metric Capture / Reward-Hacked Security.

Common false positives include:

• Metrics used as indicators with qualitative review.
• Dashboards tied to live threat modeling.
• Scores that trigger investigation rather than closure.
• Compliance measures validated against real controls.
• Vulnerability metrics paired with exploitability and asset criticality.
• Detection metrics that track false negatives and signal quality.
• Incident metrics that reward accurate reporting.
• Maturity models tested through adversarial exercise.
• Benchmarks used as one input among field evidence.
• Risk ratings updated by new exposure evidence.
• Metrics that penalize suppressed reporting.
• Security incentives that reward discovery and remediation.

Clarifying rule:

This is not Metric Capture / Reward-Hacked Security unless security measurement becomes optimized as a target while real exposure, boundary integrity, detection quality, auditability, or affected-state protection diverges.

Metrics can guide security.

They fail when the score becomes the protected asset.

11. Common False Repairs

Common false repairs include:

• adding more metrics
• creating composite scores without restoring threat coupling
• changing dashboard colors
• redefining risk categories
• adding compliance evidence fields
• punishing obvious metric gaming
• hiding the metric from teams while still rewarding it
• adding qualitative review with no authority
• increasing reporting frequency
• adding benchmark suites that are also optimized
• measuring accepted risk as resolved risk
• adding detection volume without signal review
• treating bad metrics as communication problems
• creating maturity labels that preserve score authority
• replacing one Goodharted metric with another

False repair often produces the loop:

metric capture exposed
→ new metric added
→ reward pressure shifts
→ new metric is optimized
→ capture returns

Another common loop is:

score-reality gap appears
→ score formula adjusted
→ dashboard improves
→ exposure remains

The repair fails because it preserves metric authority while changing metric appearance.

12. Restoration Direction

Restoration requires auditing security metrics against real exposure, reducing reward pressure around proxy targets, restoring threat coupling, validating protective effect, preserving reporting integrity, and redesigning incentives so discovery and remediation are rewarded over posture.

Primary restoration direction:

make security metrics serve protection again

A fuller restoration path includes:

1. Identify captured metrics. Name the score, KPI, dashboard, rating, benchmark, or compliance target.
2. Trace metric incentives. Determine what behavior the metric rewards or punishes.
3. Map real threat paths. Compare the metric against current adversarial and operational risk.
4. Measure metric-reality divergence. Test whether scores match exposure, incidents, and affected burden.
5. Audit measurement back-action. Identify how the metric changed behavior and reporting.
6. Detect Goodhart patterns. Look for gaming, reclassification, suppression, and target overfitting.
7. Restore reporting integrity. Reward truthful discovery, severity accuracy, and evidence quality.
8. Rebind metrics to exposure reduction. Require metrics to demonstrate protective effect.
9. Add qualitative and adversarial review. Use red teams, incident evidence, user reports, and expert judgment.
10. Reduce proxy authority. Prevent metrics from becoming final security state.
11. Redesign incentives. Reward remediation, boundary integrity, and learning over score preservation.
12. Measure false negatives. Track what the metric misses.
13. Audit accepted risk. Ensure accepted risks are owned, time-bounded, and monitored.
14. Pay down hidden security debt. Remediate risks hidden beneath metric success.
15. Revalidate periodically. Test whether metrics remain threat-coupled as conditions change.

A valid restoration path should reduce:

metric-reality divergence
goodhart risk
measurement back-action
reporting distortion
compliance substitution pressure
hidden security debt
unmeasured exposure
O loss

Metric Capture / Reward-Hacked Security is not repaired by finding a perfect score.

It is repaired by making every score answerable to real protection.

13. Cross-Module Links

• Security: Primary family; security metrics fail when they become the object of optimization rather than instruments of protection.
• Cybernetics: Goodhart Collapse and Measurement Back-Action are direct parent dynamics.
• Core: Strongly linked to Success Proxy Substitution and U4 Truth Substitution.
• Reduction / Extraction / Inversion: Incentive Backpropagation explains how rewards reshape reporting and behavior.
• Scaling: Feedback Gaming and Meaning Collapse often emerge when security metrics scale across organizations.
• AI Governance: Safety benchmarks, guardrail pass rates, model evaluations, and incident statistics can become optimized targets.
• Compliance: Compliance scores can replace exposure reduction.
• Risk: Risk ratings can become managed artifacts rather than reality-bound estimates.
• Platforms: Abuse, moderation, safety, and trust metrics can be gamed or scoped to preserve platform posture.
• Institutions: Institutions can reward low visible risk over truthful discovery.
• Coherence: Coherence requires security measures to remain tied to actual protective effect.

14. Relationship to Parent / Child Modes

Production treatment: Domain Expression of Goodhart Collapse

This mode maps upward to:

• FM-C-018 — Goodhart Collapse
• FM-C-020 — Measurement Back-Action Loop
• FM-CORE-003 — Success Proxy Substitution
• FM-SEC-001 — Security Theater / Φ Substitution
• FM-REI-004 — Incentive Backpropagation

Sibling or related Security modes include:

• FM-SEC-001 — Security Theater / Φ Substitution
• FM-SEC-002 — Audit Suppression Inversion
• FM-SEC-003 — Rule-Stacking Wall
• FM-SEC-005 — Interface Capture
• FM-SEC-007 — Silent Extraction / Parasitic Coupling
• FM-SEC-009 — Over-Surveillance Inversion
• FM-SEC-010 — Emergency Normalization
• FM-SEC-013 — Compression Collapse / Decision Depth Collapse
• FM-SEC-015 — LOS Blindness
• FM-SEC-025 — CCS Suspension Fallacy

Related cross-family modes include:

• FM-CORE-003 — Success Proxy Substitution
• FM-CORE-006 — U4 Truth Substitution
• FM-C-018 — Goodhart Collapse
• FM-C-019 — Adversarial Reward Hacking
• FM-C-020 — Measurement Back-Action Loop
• FM-S-007 — Feedback Gaming
• FM-S-012 — Meaning Collapse
• FM-REI-004 — Incentive Backpropagation
• FM-REI-005 — Functional Inversion
• FM-AIX-012 — Guardrail Meaning Compression
• FM-ECOX-016 — Risk Model Theater
• FM-JC-M-001 — Goodhart Justice

Aliases preserved from source material:

• Metric Capture
• Reward-Hacked Security
• Metric Capture / Reward-Hacked Security
• Goodharted Security
• Security Metric Capture
• Security Score Gaming
• Risk Score Capture
• Compliance Metric Capture
• Dashboard Security Capture
• Security KPI Substitution

15. Minimal Entry Version

Definition: Metric Capture / Reward-Hacked Security occurs when security metrics, compliance scores, risk ratings, maturity models, incident counts, detection statistics, vulnerability dashboards, audit grades, or safety benchmarks become optimized as targets, causing the security system to improve measured posture while real exposure, boundary integrity, threat response, auditability, or affected-state protection degrades.

Signature:

metric authority↑
security score↑
metric optimization↑
threat-metric coupling↓
reporting distortion↑
exposure reduction uncertain
boundary integrity uncertain
unmeasured risk↑
hidden security debt↑
O↓

Restoration direction:

• identify captured metrics
• trace metric incentives
• map real threat paths
• measure metric-reality divergence
• audit measurement back-action
• detect Goodhart patterns
• restore reporting integrity
• rebind metrics to exposure reduction
• add qualitative and adversarial review
• reduce proxy authority
• redesign incentives
• measure false negatives
• audit accepted risk
• pay down hidden security debt
• revalidate periodically

16. Machine-Readable Summary

failure_mode:
  id: "FM-SEC-006"
  name: "Metric Capture / Reward-Hacked Security"
  family: "Security"
  production_treatment: "Domain Expression of Goodhart Collapse"
  parent_modes:
    - "FM-C-018 — Goodhart Collapse"
    - "FM-C-020 — Measurement Back-Action Loop"
    - "FM-CORE-003 — Success Proxy Substitution"
    - "FM-SEC-001 — Security Theater / Φ Substitution"
    - "FM-REI-004 — Incentive Backpropagation"
  primary_failure: "Security metrics, compliance scores, risk ratings, maturity models, incident counts, detection statistics, vulnerability dashboards, audit grades, or safety benchmarks become optimized as targets, causing the security system to improve measured posture while real exposure, boundary integrity, threat response, auditability, or affected-state protection degrades."
  source: "UTS — Failure Modes Registry"
  source_id: "FM-SEC-006"
  scope_note: "Conceptual and systems-oriented; does not treat all security metrics, dashboards, scores, compliance measurements, vulnerability counts, risk ratings, maturity models, incident statistics, key performance indicators, benchmarks, or audit grades as inherently failed."
  aliases:
    - "Metric Capture"
    - "Reward-Hacked Security"
    - "Metric Capture / Reward-Hacked Security"
    - "Goodharted Security"
    - "Security Metric Capture"
    - "Security Score Gaming"
    - "Risk Score Capture"
    - "Compliance Metric Capture"
    - "Dashboard Security Capture"
    - "Security KPI Substitution"
  signature:
    - "metric authority↑"
    - "security score↑"
    - "metric optimization↑"
    - "threat-metric coupling↓"
    - "reporting distortion↑"
    - "exposure reduction uncertain"
    - "boundary integrity uncertain"
    - "unmeasured risk↑"
    - "hidden security debt↑"
    - "O↓"
  primary_layers:
    origin:
      - "U1 — Power / Budgets"
      - "U2 — Configuration / Boundaries"
      - "U3 — Execution / Runtime"
      - "U4 — Information / Truth"
      - "U5 — Coordination / Time"
      - "U6 — Coherence Field"
      - "U7 — Memory / Recurrence"
      - "U8 — Environment / Field"
    manifestation:
      - "U1 — Resources"
      - "U3 — Execution"
      - "U4 — Truth"
      - "U5 — Time"
      - "U6 — Field"
      - "U7 — Memory"
  state_variables:
    - "G"
    - "Γ"
    - "Ψ"
    - "Au"
    - "O"
    - "BΣ"
    - "H"
    - "K"
    - "M"
    - "Φ"
    - "R"
    - "D"
    - "Τ"
    - "Λ"
  first_gate_failure: "Goodhart Risk Gate"
  restoration:
    - "Security Metric Integrity Audit"
    - "Threat-Metric Rebinding"
    - "Goodhart Risk Reduction"
    - "Measurement Back-Action Review"
    - "Exposure Reduction Validation"
    - "Detection Signal Repair"
    - "Reporting Integrity Restoration"
    - "Compliance-to-Protection Rebinding"
    - "Security Incentive Redesign"
    - "Hidden Security Debt Paydown"