I was on a call with a DevOps lead last month. They'd spent three weeks hardening a Kubernetes cluster, only to find their friction score for the fix was off by 40%. The control looked cheap on paper—a config change, maybe 2 hours. But the reality? Six teams had to sign off, three legacy systems had no API, and the change window was two weeks out. Their baseline had drifted, and they didn't notice.
That's the problem with mitigation friction scoring. You calibrate once, you think you're good, then six months later the numbers are lying to you. I've seen two traps repeat across orgs. Here they're, plain.
Where This Drift Shows Up in Real Work
Incident response post-mortems
Picture this: a Tuesday afternoon, PagerDuty lights up like a Christmas tree. Your SRE team assembles, the incident commander calls root cause within forty minutes, and the fix ships overnight. That feels like a win. But three weeks later, during the post-mortem, someone mutters the killer phrase: ‘We knew this would happen.’ The ticket backlog shows the detection rule was logged twelve weeks prior—scored as a 6 on your mitigation friction scale. High friction, sure. Low priority, apparently. The baseline drifted because you calibrated that 6 against a different team’s tolerance, a different toolchain, a different quarter’s fatigue. The friction you scored in January is not the friction your team actually feels in April—and that delta costs you a real outage.
I have seen this pattern gut a security team’s velocity. The friction score for deploying a WAF rule stayed at 4 for six months. The team kept deferring it, citing ‘acceptable friction.’ Then a config merge broke prod during a low-severity event—because nobody had recalibrated that baseline after the platform team swapped CI pipelines. The score should have been a 7. Instead, it sat there, quiet, misleading everyone.
‘Drift doesn't announce itself. It just makes your prioritization feel increasingly wrong until something burns.’
— Staff SRE, fintech company
Quarterly risk reviews
Risk review decks are where baseline drift metastasizes quietly. You pull the mitigation friction scores from three months ago, slap them into a spreadsheet, and call it ‘current state.’ The catch is that your team has since automated half the friction-heavy steps—token rotation now takes ten seconds instead of two hours. Yet the score still reads 7. So the risk review flags token rotation as a ‘high-friction’ blocker, and the board pushes back on the next sprint. You waste two weeks debating a problem that no longer exists. Wrong order. The drift here is backward: scores stay high when friction drops, starving fast wins of attention. Most teams skip this check entirely. They update severity, they update likelihood—but friction? That number gathers dust.
I once watched a quarterly review stall for forty-five minutes over a single row in the risk register. The friction score said 8, the actual effort was under an hour, and nobody wanted to break the glass. The fix? We started adding a small ‘actual effort this quarter’ column next to each friction score during the review itself. That column caught drift within two meetings—and killed the argument cold. Worth flagging—the gap between perceived and actual friction is where bad decisions breed.
Security tool rollout planning
Tool rollout planning is a drift magnet because it involves multiple teams, each with a different friction baseline. The compliance team scores a new runtime agent deployment as a 3—‘easy, we’ve done it before.’ The app team scores it as a 9—‘that agent crashes our container startup.’ Both are correct, relative to their own context. But when you average those scores into a single mitigation friction value, poof—the real blocker disappears. The rollout gets approved, the agent lands, and the app team spends a week rolling it back. That hurts. The drift isn’t malicious; it's a measurement artifact. Your scoring exercise collapsed two incompatible realities into one number that represents nobody’s experience.
A concrete fix I have seen work: score friction twice—once from the enforcer’s perspective, once from the impacted team’s perspective. Then don’t average them; flag any gap wider than 2 points as a calibration risk. That rule alone stopped three bad rollouts in a single quarter at one shop I advised. The trade-off is more rows in the spreadsheet—but less pain in the on-call rotation. Most teams skip this. They treat friction like a single truth, and drift punishes them for it.
Trap #1: Confusing Friction with Complexity
Political friction vs technical complexity
Last month a platform team at a mid-size SaaS shop showed me their Mitigation Friction scores. A firewall rule change—open one port to a legacy database—had scored 8 out of 10. When I asked why, the lead shrugged: “Took three months to ship.” That's the trap. The political friction was brutal: two security reviews, a director-level sign-off, and a calendar conflict that stalled the change for six weeks. But the technical complexity? Ten minutes of Terraform, a single pull request, zero dependency conflicts. The team conflated the organizational fatigue with the engineering effort, and their scoring baseline drifted by at least three points overnight.
The distinction matters because they measure different surfaces. Complexity is about the work itself—interleaving dependencies, state management, failure modes that cascade. Friction is about the human and process overhead—approval chains, knowledge silos, blame risk. A simple config change can carry high friction if five people need to bless it. Conversely, a genuinely knotty migration—rewriting a sharding layer, say—can feel frictionless if the team trusts each other and the review pipeline is fast. I have seen teams score a perfectly linear schema migration as “high friction” because the DBA team was understaffed. That's not complexity; that's a staffing mismatch wearing a friction score costume.
False equivalence in scoring
When you collapse friction and complexity into the same bucket, your scoring loses signal. The 8/10 firewall rule—that score now means “this change was hard for reasons that may not recur.” Next quarter the same team picks up a database index reorder that's technically riskier (locking, rollback complexity, read-path impact) but politically clean: the DBA approves in a day. If the baseline is still inflated from the firewall saga, the index change gets a 4 or 5. Wrong order. The thing that should scare you—the complexity—is underweighted, and the thing that was an organizational anomaly—the friction—is baked in as a permanent assumption.
Honestly — most risk posts skip this.
The catch is that false equivalence feels productive in stand-ups. “Everything is blocked, everything is hard, just score it high.” That saves five minutes of debate. But it creates a drift that compounds. When leadership reviews the friction heatmap, they see a wall of red. They allocate headcount or process reform in the wrong places—more engineers to solve what was a permission problem, or new automation tooling for what was actually a political stalemate. Worth flagging—I once watched a VP double a compliance team’s budget based on friction scores that were really about a single toxic approver. The friction disappeared when that person left. The budget didn’t.
'We scored the network change high because it hurt. That doesn't tell us what hurt—the config or the committee.'
— Staff engineer, anonymous retrospective
Example: a simple firewall rule that took 3 months
Let me walk the full anatomy. The change: allow port 5432 between two internal subnets for a data pipeline migration. The technical surface: one line in an infrastructure-as-code module, tested in staging, no state rollback risk. The friction chain: security team required a threat model document (two weeks), the change advisory board met biweekly (missed first window), the network team had a freeze for PCI audits (another three weeks), and the requesting team’s lead was on PTO during the approval window. That's zero complexity spikes and five friction potholes.
Most teams skip this: score the friction as it would be if the process were healthy, then flag the organizational delta separately. The raw friction score for the firewall rule should be a 2 or 3—the change itself is trivial. The organizational friction modifier gets a 7, and that modifier points directly at a process bottleneck: the CAB cadence, the single-threaded security reviewer. If you lump them, your baseline now assumes every simple port open costs a quarter. Next quarter you’ll score the real complexity items—like the sharding rewrite—against a broken yardstick. The seam blows out. Returns spike, but you don’t know why.
How do you catch it? Run a friction audit where you score each item twice: once for complexity, once for process friction. If the two scores diverge by more than two points, the drift source is visible. That hurts—it means double the scoring effort for a sprint. But I have seen exactly one team that untangled these buckets and then reduced their incident-revert rate by forty percent inside two releases. Not because the work got simpler. Because they stopped solving complexity with process fixes and process friction with tooling investments.
Patterns That Usually Work for Recalibration
Quarterly recalibration cadence
Most teams I have worked with set a baseline once and forget it — until something breaks. A quarterly cycle feels slow enough to filter out weekly noise but fast enough to catch drift before it compounds. The trick is anchoring each recalibration to a concrete event: the last release train, the most recent incident post-mortem, or a change in team composition. Pick a fixed month-end, mark it on everyone’s calendar, and treat it as a lightweight audit, not a heavyweight ritual. That sounds fine until the first quarter hits and nobody remembers what the numbers meant.
The catch is consistency over precision. A score of 3.8 today versus 4.1 three months ago tells you nothing if the person assigning it has changed or the context of the task shifted. So lock the definition — what does a friction score of 4 actually look like? — before you compare. I once watched a team argue for forty minutes over whether a deployment step was a 3 or a 4. They had no shared reference point. Define examples ahead of time, keep them visible, and retire them only when the process itself changes. Wrong order. That hurts later.
Cross-team drift detection interviews
Numbers on a dashboard lie. Not intentionally, but they smooth over the messy reality of how people experience friction day-to-day. A better signal: pull three people from adjacent teams — QA, product, ops — and ask one question: “What is the single step in our pipeline that makes you hesitate right now?” Don't show them the baseline. Let them describe the pain in their own words. Then map their answers back to the existing scores. The gaps are where drift hides.
Most teams skip this because it feels soft, anecdotal, unscientific. The irony is that structured interviews catch drift months before the aggregated metrics budge. A developer who grumbles about a test suite that takes “forever” may be scoring that friction at a 6 in her head while the official baseline still shows a 3. That seam blows out under pressure. But what if the interviewee is just having a bad week? That's why you run three interviews, not one, and look for patterns, not isolated complaints. Cross-team means cross-perspective — ops sees latency that devs tolerate, QA sees rework that product never tracks.
Using change logs as triggers
Every time you touch a system, the friction surface changes. You don't get to keep the old score.
— Platform engineer, mid-sized SaaS team
That quote stuck with me because it captures why periodic recalibration alone fails: drift accelerates between cycles. A dependency upgrade, a config change, a new compliance gate — each one rewrites the friction landscape. Instead of waiting for the quarterly check, hook recalibration triggers to your change log. When a deployment step gets a new approval node, flag it. When a test suite is rewritten, flag it. Then run a mini-recalibration on just that segment, not the whole index. Returns spike if you ignore the trigger — the friction baseline becomes a historical artifact, not a decision tool.
What usually breaks first is the assumption that friction is additive. A single change rarely moves the needle alone; it's the accumulation of small shifts across three or four steps that suddenly makes a pipeline feel glacial. So the trigger is not the change itself but the perception of the change. Ask the team: “Does this feel harder now than before the update?” If three people nod, recalibrate. If only one shrugs, let it settle. Overreacting to every blip is the fast track to score fatigue — and that's exactly the anti-pattern the next section covers. For now, keep the triggers lean: three categories of events (infra, process, people) and a simple rule — if it touches how work flows, touch the score.
Honestly — most risk posts skip this.
Anti-Patterns: Why Teams Revert to Old Scores
Set-and-forget mentality
Most teams treat a baseline score like a tattoo. Once it's in the spreadsheet or dashboard, it stays. I've watched engineering leads lock a Mitigation Friction score in January, then point to it in November as if nothing changed in the environment. The codebase? Heavier. The deployment pipeline? Slower. The incident response playbook? Rewritten twice. That original score becomes a ghost — technically present, meaningfully dead. The trap feels efficient: recalibration takes time, so you tell yourself the delta is small. It never is. One team I worked with held a baseline for fourteen months while their mean-time-to-mitigate doubled. The score hadn't budged. Their actual friction had metastasized.
Fear of reopening arguments
Recalibration forces hard conversations. Who decides whether a mitigation step is still worth the friction? That question alone stops most teams cold. They remember the three-hour debate that produced the original score — the product manager arguing for speed, the security lead demanding rigor, the SRE pointing at pager fatigue. Nobody wants to re-litigate that. So they don't. The baseline calcifies. What's worse, newer team members inherit a number they don't trust but can't challenge without looking naive. The result is polite silence around a stale metric. Worth flagging — this fear usually hides a deeper problem: the original calibration was fragile. If a single reopen blows the whole model apart, you didn't have a measurement; you had a truce.
We kept the old score because changing it meant admitting our process had already failed.
— Lead SRE, post-incident retrospective, 2023
Over-reliance on automation
Here is the seductive one. A team notices drift, so they write a script to re-score the baseline every month. Problem solved, right? Wrong. Automation captures what happens in the system — ticket counts, pipeline durations, approval lag. It misses the human friction that doesn't leave a log: the senior engineer who now avoids the mitigation dashboard because it's cluttered with false positives, the on-call rotation that silently pre-checks results before submitting, the unwritten rule to bypass the formal path when things get hot. That invisible friction is exactly what Mitigation Friction Scoring was designed to surface. Automating the recalibration actually reifies the blind spot. The catch is subtle: your score becomes precise but wrong. Teams trust the automated number, stop questioning it, and the drift accelerates. I have seen this pattern three times now — each ended with a manual recalibration that moved the score by more than 40%, followed by a moment of stunned silence in the room.
So what breaks the cycle? Stop treating the baseline as a permanent fixture. Schedule a recalibration before you think you need one. Make the debate part of the process, not a bug to automate away. Run a single adversarial session: have someone argue the score is too low, another that it's too high, and force the middle ground onto the table. That argument is the measurement. The number is just the receipt.
Maintenance, Drift, and Long-Term Costs of Ignoring It
Accumulating technical debt in scoring
Teams that skip recalibration for a year don't just lose precision—they build a hidden ledger of bad data that compounds monthly. I watched a platform security crew score a DDoS mitigation control at 3.8 (low friction) for eleven consecutive months. The score never changed because nobody re-ran the baseline after the architecture team migrated traffic through a new CDN. That migration added three extra approval gates and a 48-hour change window. The seam blew out during a real incident: the on-call engineer couldn't deploy the playbook because friction had silently climbed to 6.1. The old score said "fast, use this"; reality said "not today."
That gap between recorded score and actual experience is pure technical debt. Every month you ignore drift, the cost of correcting it grows non-linearly—recalibrating a single control after a year takes roughly 3x the effort of a quarterly touch because nobody remembers why the original score looked right. The worst part? The debt hides. Your dashboard shows green mitigation numbers while operators burn cycles fighting the invisible friction wall.
Trust erosion in the process
Here is where things get ugly. When engineers discover that a "low friction" control actually requires four Slack pings and a manager override, they stop trusting the entire scoring model. I have seen this firsthand: a team abandoned their friction scores entirely after finding three controls mis-scored by two full points. They reverted to tribal knowledge—"just ask Dave which controls suck today." That's not a process. That's a single point of failure wearing a human costume.
'The score said deploy in five minutes. It took ninety, and then I had to file a post-mortem for exceeding the threshold we thought we measured.'
— Staff engineer, retail infrastructure team, after ignoring drift for fourteen months
Trust erodes asymmetrically: one bad score poisons the whole dataset faster than a dozen correct ones can restore confidence. The catch is that teams rarely admit they stopped believing the numbers. They just stop using them. They fill out the quarterly scorecard because compliance demands it, but the real decisions—which controls to automate, which to accept risk on—get made by gut feel. That hurts. You lose the very thing the scoring model was supposed to give you: a shared language for trade-offs.
Opportunity cost of misprioritized controls
Most teams frame the cost of ignoring drift as "we might pick the wrong control to fix." True, but too mild. The real cost is what you permanently lose by optimizing against a ghost baseline. Consider a team that spent six months building a friction-reduction automation for a control they believed scored 4.0. The actual friction after drift was 2.3—it was never the bottleneck. Meanwhile, a control that had drifted from 3.0 to 6.5 sat untouched. What did they sacrifice? A whole quarter of engineering time, plus the security coverage they could have improved by focusing on the real blocker. Opportunity cost is invisible but it's not abstract: it's the vulnerability you left open because you were fixing the wrong thing.
One concrete pattern I see: teams keep hammering the same three "high friction" controls year after year, never noticing that the landscape shifted and two of them are now medium-low. The third, meanwhile, has quietly become the critical path. Wrong order. Not just inefficient—dangerous. The right experiment to run next week? Pick one control that has not been rescored in six months. Measure its actual friction this Tuesday. Compare that to the recorded score. If the gap exceeds 1.5 points, recalibrate everything in that control family before the next sprint planning session. That single action will teach you more about your real mitigation surface than any dashboard refresh ever could.
When Not to Use This Approach
Greenfield Projects With No Baseline Yet
You're staring at a blank canvas—no incident logs, no remediation history, no gut feel for what 'easy' versus 'hard' looks like in this new domain. I have watched teams rush to assign friction scores to mitigation steps that don't even exist yet. The trap is obvious in hindsight: you end up scoring hypothetical workflows against imaginary threat models. That number looks precise. It's not. Without at least three to six months of real operational data—actual fire drills, actual rollbacks, actual Monday-morning postmortems—your baseline is a fiction dressed up as a metric. The cost of acting on that fiction? You allocate budget to reduce friction that never materialises, while real bottlenecks fester unseen. Not yet. Build the system first. Let it break. Then score the scar tissue.
Field note: risk plans crack at handoff.
Worth flagging—even teams with adjacent experience from other products overestimate their calibration. The runtime environment shifts, the dependency graph mutates, the on-call rotation changes. What felt like a '3' on last year's Kubernetes cluster is a '7' in a serverless mess. The only honest baseline is one earned through operational pain, not whiteboard logic.
One-Time Compliance Audits
An auditor lands in your inbox: twenty controls to evidence, three weeks to deliver, zero tolerance for gaps. Your instinct is to friction-score every remediation step so you can prioritise the fastest wins and hit the deadline. Stop. Compliance audits are binary gates—pass or fail—not continuous improvement loops. Friction scoring optimises for long-term operational load reduction; a deadline-driven checkbox exercise optimises for raw throughput. Those two objectives conflict. The catch is that teams who score their audit mitigations tend to overshoot on effort estimation: they invest in 'low-friction' quick fixes that barely satisfy the control, then scramble when the auditor asks for depth. The real play is blunt-force blocking and tackling: do the thing, document it, move on. Leave the friction model for later, when the same control reappears in your quarterly review cycle and you actually care about the cost of maintaining it.
“Scoring a one-time audit mitigation is like measuring the wind resistance of a brick you're about to throw through a window. Interesting. Irrelevant.”
— SRE lead, after a PCI audit fire drill
One concrete scene I lived through: a fintech startup scored their audit log retention pipeline at 'friction 2'—low effort to implement via a managed service. Implementation took a day. The ongoing storage cost? It ate twenty percent of their monthly infra budget because they never modelled the baseline drift of log volume. The friction score was correct for that Tuesday. Wrong for the next twelve months. Audits are snapshots; friction scoring is a time-lapse. Don't confuse the two.
Teams With Zero Process Maturity
You arrive at a team that doesn't have a formal incident response process—no runbooks, no defined severity tiers, no postmortem template. The impulse is to introduce friction scoring as a way to 'objectively' rank their chaos. That hurts. What usually breaks first is the scoring itself: team members can't agree on what 'mitigation' means when each person handles outages by instinct. One engineer calls a rolling restart 'trivial' (friction 1); another calls it 'terrifying' (friction 8). Both are right given their context—which means the score collapses to noise. The trade-off is brutal: introducing a scoring system before basic process hygiene creates a false sense of control. Teams spend energy debating numbers instead of building the actual runbook. The better sequence: standardise the response workflow first, run it for a quarter, then calibrate friction against a shared, documented reality. Process maturity is the prerequisite, not the output, of trustworthy friction scoring.
Most teams skip this. They see a shiny model and assume it will impose order from above. It doesn't. It reflects the order you already built. If your team can't describe a mitigation step in two sentences, don't assign it a number. Assign it a TODO.
Open Questions & FAQ
How often should I recalibrate?
The honest answer? It depends—but a fixed calendar cadence is usually wrong. I have seen teams set a quarterly recalibration ritual, only to discover their baseline drifted in week two of the quarter. That hurts more than never recalibrating, because you're making decisions on stale numbers while feeling falsely confident. A better heuristic: recalibrate when you catch yourself arguing about what a score means instead of what it says. That semantic friction—three people in a room debating whether something is a 6.2 or a 6.7—is the signal that your baseline has silently moved. The trade-off is real: recalibrating too often introduces its own noise and eats calendar time. Wait too long, and your mitigation scores become decorative. Worth flagging—some teams anchor to a single "canary" metric (e.g., time-to-verify for a specific control) and recalibrate only when that metric shifts by more than 15%. Not perfect, but beats guessing.
What if my team disagrees on a score?
Disagreement is not a bug. It's often the first honest signal that your rubric has holes. I once watched a security team spend forty minutes arguing whether a rate limit gap was "friction 4" or "friction 6"—until someone realized they were using different reference frames: one person scored the friction of implementing the fix, the other scored the friction of bypassing it. Two different questions, same scale. The fix was brutal but simple: score each mitigation against a single, shared scenario written in plain language. Does this slow down an attacker using leaked creds? Or does it frustrate a legitimate user resetting their password? Pick one. The pitfall is treating disagreement as a problem to resolve with averages—averaging a 4 and a 6 gives you a 5 that nobody actually believes. Instead, ask: "What scenario would make the low scorer raise their hand?" That unearths the real drift.
Scoring is always a proxy for judgment. The moment you trust the number more than the conversation, you have already drifted.
— overheard at a post-incident review, after the team realized their "easy" mitigations were anything but.
Can I use historical data to correct drift?
Maybe—but only if you surface the assumptions baked into that history. Historical scores often reflect the context of the moment: a team under deadline, a newly shipped feature, a compliance audit looming. Pulling old scores forward without asking "why was this a 5 in March?" is like copying last year's bug fix into today's codebase—it compiles, but it doesn't fit. The catch is that historical data can expose drift patterns if you look at the right thing: not the absolute scores, but the delta between scored friction and observed friction. For example, if your records show a mitigation scored 3 two years ago, but every deployment since has required manual escalation to bypass it, the drift is hiding in the operational workarounds, not the scorecard. One team I worked with ran a quick experiment: they took ten mitigations scored over six months ago and re-scored them blind, then compared the old and new numbers. Eight of ten shifted by at least two points. That's not noise—that's a warning. Use historical data as a drift detector, not a correction tool. Re-score from scratch when the gap gets wide. Yes, it's more work. The alternative is painting over a crack in the foundation.
Summary: Next Experiments to Run
Audit your last 5 friction scores for drift
Pull the last five mitigation scores your team logged — any tool, any sprint. Stack them side by side. The catch? Don't look at the numbers first. Read the comments attached to each score. I have seen teams assign a 1 (trivial friction) to a process that required three sign-offs and a Slack chase. Then a month later, same process, someone scored it a 4. Same workflow. Different calibration. That's drift — and it hides in plain sight if you only stare at the aggregate. Mark which scores feel inconsistent. Then, for each mismatch, write down what changed: new tool? New team member? Nothing changed at all? The nothing-changed cases are the ones that sting most. That's your baseline rotting silently. Fixing one mis-scored item won't rewrite your entire model. But seeing the pattern — that's the point.
Run a cross-team calibration workshop
Block ninety minutes. Invite three people from adjacent teams — someone who lives in the system daily, one manager who approves the scores, and one skeptic who mutters "these numbers are fake" during retros. Hand them five anonymized scenarios from real work. Ask each person to score independently, then compare. The divergence won't be subtle. One person sees complexity; another sees friction. Worth flagging — these are not the same thing, though teams collapse them constantly. Complexity is inherent; friction is unnecessary. A tool that requires ten clicks is friction. A workflow that requires deep expertise is complexity. You can reduce friction; you can only manage complexity. The workshop surfaces this confusion live. Don't aim for consensus in the room. Aim for each person to articulate why they scored the way they did. That articulation, imperfect and messy, is the recalibration trigger.
“We spent the whole session arguing about a single score. Turned out we were scoring different parts of the same process.”
— Engineering lead, after their first cross-team calibration
Set a recurring calendar check
Block thirty minutes, every two weeks. Not a meeting — a personal audit. Open your friction log. Scan for scores that feel stale: that 2 you gave six weeks ago to a deployment step that now fails constantly. Update it. That takes three minutes. The trap is assuming baselines hold until something breaks. They don't. They erode quietly as people build workarounds, as tools get patched, as memory of the original problem fades. A recurring check turns drift from a crisis into a habit. Most teams skip this; they treat calibration like a one-time setup, then wonder why their mitigation scores lose predictive power. The cost of ignoring it? You start making decisions on data that no longer reflects reality. That hurts. Set the calendar entry before you close this page. Name it something boring — 'Friction score review' — so you actually show up.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!