Wow, that's pretty bad. Metrics-driven management is one of those things that sounds like a smart thing to do but it ends up being counterproductive. It's really hard to measure the things that are important so we have to use proxies. Except optimizing a proxy is not the same thing as optimizing the thing you care about. And this is how we end up with production databases using rot13 for encryption :)

Back when I was in management, I used to collect concrete metrics like "you keep closing work items, but it's been three months since you checked in any code" or "you're employed as a tester but you only opened two bugs last year and they were both by design". Of course people could game it, and maybe they did, but it went a long way toward identifying the people who were just straight-up asleep at their desks.

Did the next generation make encryption 2x better by having double rot13?

They might as well have, honestly. I found it on accident when tying to link my group's database to the risk management system, since it was also their internal cluster computing system. It was more or less a giant python object store, including code. It had zero documentation and since I worked second, I had to figure it without any devs online. Eventually found the password store after looking through other groups' production code. Turns out that double clicking on an object showed its code and anything linked to it, so once you have the password function object, you get all linked password hashes. Double clicking the hashes then ran its linked function - rot13 - and printed it to the screen.

This was in 2011, so they should've known better! I've seen some pretty bad stuff, but that was pretty up there.