What Is Human Risk Management? A CISO's Guide

Mandatory lunch-and-learns and boring slide decks don't work. We've all sat through security training that feels more like a compliance checkbox than a real learning experience. But do these traditional methods actually change behavior? The data says no. It’s time for a new approach: a modern human risk management program that moves beyond just awareness. It starts by clearly defining what are human risks? and provides a framework to evaluate cybersecurity behavior change. This guide will help you conduct a meaningful human risk review and prove your program's value.

In the 2022 Verizon Data Breach & Investigations Report, they found that 82% of breaches were originated by human activities. This report rings true across all industries. So if you knew who your riskiest populations were, and could change their behaviors, imagine what that 82% might drop to. 

At the core of Human Risk Management is the goal of creating true behavior changes across the organization, not just cleaning up after an incident. However, you can’t change things you don’t see, and aren’t even aware of.

If we followed conventional Security Awareness & Training industry wisdom in other areas of life, we’d see a broken glass in the kitchen and hurry to clean it up, which makes sense. But then, when another one breaks, will the clean up approach work to prevent a break from happening again? 

Maybe you decide to send everybody who lives in your house to a 30-minute training session, a few times a year, about why glasses break when they hit the ground. Will that actually change what’s happening? How would you know why the glasses keep breaking if you don’t have the data you need: who is breaking them, why is it happening, and what those specific people need to know to change their behaviors.

As Jinan Budge, VP and Principal Analyst at Forrester puts it in a recent blog post, when it comes to security awareness and training, “behavior and culture change have moved beyond being performative to fostering real action.”

In her post on the Forrester blog, Jinan Budge states that there are four  “distinct, unexpected, and crucial functionality segments” that security awareness and training vendors can employ to keep up with and hopefully stay ahead of this ever-changing threat landscape. These include key principles that Living Security believes in, principles that can help your team quantify human risk, engage your workforce, and measure behavioral changes, which we believe will help drive Human Risk Management to be the new gold standard for the security training industry.

What is Human Risk Management (HRM)?

Human Risk Management, or HRM, is a strategic approach that moves beyond traditional security awareness. It’s a framework designed to understand, predict, and ultimately reduce the cybersecurity risks associated with human behavior. Instead of simply reacting to incidents, HRM proactively identifies where and why risks exist within your workforce. It accomplishes this by correlating data across three critical pillars: employee behavior, identity and access permissions, and real-world threat intelligence. This comprehensive view allows security teams to see the full picture of human risk, pinpointing the specific individuals and groups who pose the greatest threat to the organization, whether intentionally or by accident. This data-driven method allows you to stop guessing and start measuring what truly matters.

The core idea is to shift from a compliance-focused mindset to one centered on tangible risk reduction. While traditional programs ask, "Did our employees complete the training?" HRM asks, "Did the training actually change their behavior and make our organization safer?" By focusing on measurable outcomes, Human Risk Management provides security leaders with the actionable intelligence needed to build a more resilient security culture. It’s about transforming your security program from a cost center focused on cleanup to a strategic function that prevents incidents before they can cause damage, saving time, money, and reputational harm in the process.

Moving Beyond Compliance-Based Training

For years, the standard for addressing human-related risk was compliance-based training. This often meant annual, one-size-fits-all courses designed to check a box for auditors. While well-intentioned, this approach rarely leads to lasting behavior change. HRM fundamentally changes the game by moving beyond simple awareness. It recognizes that knowing about a risk is not the same as acting to avoid it. The goal is not just to inform employees but to influence their daily security decisions in a measurable way. This means focusing on interventions that are timely, relevant, and personalized to the individual's specific risk profile.

Key Components of a Modern HRM Program

A modern HRM program is a dynamic, continuous cycle, not a one-time event. It begins with collecting and analyzing data from diverse sources to build a detailed risk profile for every individual. This includes information from security tools, identity management systems, and observed behaviors like phishing simulation performance. The Living Security Platform, for example, correlates these signals to predict which users are most likely to cause an incident. Based on this intelligence, the program then delivers targeted interventions, such as micro-trainings, policy reminders, or security nudges, designed to address specific risky behaviors. Finally, it measures the effectiveness of these interventions, creating a feedback loop that constantly refines and improves the organization's security posture.

HRM vs. Traditional Security Awareness: A Clear Comparison

The distinction between Human Risk Management and traditional security awareness and training (SAT) represents a significant evolution in cybersecurity strategy. While SAT focuses on broadcasting information and achieving compliance, HRM is an outcome-driven discipline dedicated to measurably reducing risk. Think of it as the difference between giving someone a book on healthy eating versus creating a personalized nutrition and fitness plan with a clear goal of lowering their cholesterol. One provides information, while the other drives a specific, measurable health outcome. Traditional SAT programs often operate in a silo, disconnected from the rest of the security stack.

In contrast, HRM is deeply integrated with an organization's security operations. It uses data from across the security ecosystem to identify risk and, in turn, provides valuable human-centric intelligence back to teams like the Security Operations Center (SOC). This creates a symbiotic relationship where technology and human insights work together to build a stronger defense. The metrics, goals, and operational integrations of HRM are fundamentally different, reflecting a more mature and effective approach to managing the human element in cybersecurity. This shift is critical for organizations looking to move from a reactive to a proactive security posture.

Goal: Risk Reduction vs. Compliance

The primary objective of a traditional security awareness program is often compliance. Success is measured by how many employees completed the required training modules. HRM, however, sets a much higher bar. As Forrester notes, "The main goal of HRM is to change behaviors and promote a security culture, with meeting basic training rules being a secondary goal." The ultimate aim is to achieve a quantifiable reduction in security incidents caused by human action. While an HRM program will certainly help you meet compliance requirements, that is simply a positive byproduct of a much more strategic objective: making the organization demonstrably safer.

Metrics: Outcome-Driven vs. Completion-Based

You can't manage what you don't measure, and the metrics used by HRM are a world away from traditional completion rates. Instead of tracking how many people watched a video, HRM focuses on "Outcome-Driven Metrics" (ODMs). These are indicators that reflect real-world security behaviors and their impact on the organization's risk posture. Examples include phishing report rates, the time it takes for an employee to report a suspicious email, and resilience against simulated attacks. These metrics provide security leaders with board-ready data that demonstrates the tangible value and ROI of their security initiatives, proving that the program is actually reducing risk.

Integration: A Partner to the Security Operations Center (SOC)

Unlike traditional training programs that are often isolated from real-time security operations, HRM acts as a crucial partner to the SOC. An effective HRM program doesn't just train users; it turns them into an active part of the defense system. When employees are conditioned to report threats effectively, this "shares human threat reports directly with the security team to help stop real attacks faster." This integration provides the SOC with early warnings and valuable intelligence from the front lines, allowing them to respond to threats with greater speed and precision. It transforms the entire workforce into a distributed sensor network, strengthening the overall security fabric.

The Financial and Operational Impact of Human Risk

The consequences of human-related security incidents extend far beyond the IT department, creating significant financial and operational disruptions for the entire business. A single mistake, such as clicking a malicious link or falling for a social engineering scam, can lead to devastating data breaches, ransomware attacks, or financial fraud. The direct costs are staggering, including incident response expenses, regulatory fines, and legal fees. However, the indirect costs are often even greater. These include operational downtime, loss of customer trust, damage to the brand's reputation, and a decline in shareholder value. These are not just IT problems; they are business-critical issues that can impact long-term viability.

Understanding and quantifying this impact is the first step toward making a compelling business case for investing in a robust Human Risk Management program. When security leaders can translate human risk into financial terms, it changes the conversation with the board and executive leadership. HRM provides the framework to not only identify and mitigate these risks but also to demonstrate the financial return of doing so. By preventing costly breaches before they happen, an effective HRM strategy protects the bottom line and ensures business continuity, making it an essential investment for any modern enterprise.

The Staggering Cost of Human-Caused Breaches

The statistics surrounding human-caused breaches are alarming. Forrester predicts that the human element will be involved in 90% of data breaches this year. This highlights a critical vulnerability that technical controls alone cannot solve. Each of these incidents carries a hefty price tag. According to IBM's Cost of a Data Breach Report, the global average cost of a data breach reached $4.45 million in 2023. For breaches where stolen or compromised credentials were the initial attack vector, a common result of human error, the cost was even higher. These figures underscore the urgent need for a more effective way to manage human risk.

Phishing, BEC, and the Rise of AI Threats

Phishing and Business Email Compromise (BEC) remain two of the most common and costly attack vectors that prey on human psychology. These attacks have become increasingly sophisticated, and the rise of generative AI is amplifying the threat. Malicious actors can now use AI to craft highly convincing, personalized phishing emails at scale, making them harder than ever for employees to detect. This new reality renders traditional, generic phishing simulations less effective. A modern approach requires predictive intelligence that can identify which users are most susceptible or most likely to be targeted, enabling security teams to deliver preemptive, targeted interventions.

Identifying the Few Who Cause the Most Risk

A key insight from security research is that risk is not evenly distributed across an organization. In fact, data from Proofpoint shows that a small fraction of users, roughly 8%, are responsible for 80% of security incidents. This principle makes a blanket, one-size-fits-all approach to security training incredibly inefficient. It wastes the time of your low-risk employees while failing to provide the focused attention that your high-risk population needs. A core function of Human Risk Management is to identify this small but critical group of users. By focusing resources where they will have the greatest impact, organizations can achieve a significant reduction in risk much more efficiently.

The Psychology Behind Security Mistakes

To effectively change behavior, we first have to understand why people make risky decisions. It’s rarely because they have malicious intent or don’t care about security. More often, security mistakes are a byproduct of human psychology, cognitive biases, and the environments in which people work. Factors like stress, cognitive overload, and pressure to meet deadlines can cause even the most well-intentioned employees to take shortcuts or overlook security protocols. People are wired to be efficient and helpful, which can sometimes conflict with the cautious, skeptical mindset required for strong security. A successful HRM program acknowledges these realities and works with them, not against them.

Instead of a culture of blame, HRM fosters a culture of understanding and support. It recognizes that, as Arctic Wolf points out, a human-related breach is often a symptom of "gaps in security processes, not just one person's fault." By analyzing the context surrounding risky behaviors, organizations can identify and fix the underlying systemic issues. This could mean simplifying a complex security procedure, providing clearer guidance, or implementing tools that make the secure choice the easy choice. This empathetic, psychology-informed approach is far more effective at creating sustainable behavior change than rules and punishment alone.

Why Good People Make Risky Decisions

Good people make mistakes for understandable reasons. An employee rushing to finish a report before a deadline might quickly click "enable macros" on a document without thinking, inadvertently launching a malware attack. Another, wanting to be helpful, might fall for a CEO fraud scam requesting an urgent wire transfer. These are not failures of character; they are predictable outcomes of human cognitive patterns interacting with a complex work environment. Security is often seen as a secondary task that creates friction and slows down primary job functions. When security processes are cumbersome or confusing, people will naturally find workarounds, creating vulnerabilities.

Using Nudge Theory to Guide Better Behavior

One of the most powerful psychological tools in the HRM toolkit is Nudge Theory. This concept suggests that you can guide people toward better choices through "gently guiding people toward better security choices without forcing them." A nudge isn't a mandate; it's a subtle change in the environment that makes the desired behavior easier or more intuitive. In a security context, this could be a simple pop-up warning when an employee is about to visit a potentially risky website or a just-in-time micro-training delivered moments after they fail a phishing simulation. These small, timely interventions are highly effective at reinforcing secure habits in the context of daily work.

How to Build and Mature Your HRM Program

Implementing a Human Risk Management program is a journey, not a destination. It involves a strategic, phased approach that builds momentum over time. The goal is to move from a reactive, compliance-based model to a predictive, risk-based program that is fully integrated into your security operations. This process doesn't have to be overwhelming. By breaking it down into clear, manageable steps, any organization can begin to mature its approach to managing human risk. The key is to start with a solid foundation of data, focus on the most critical behaviors first, and commit to a cycle of continuous measurement and improvement.

This journey involves assessing your current state, identifying your highest-risk areas, and implementing targeted interventions to address them. As the program matures, it becomes more sophisticated, leveraging deeper data integrations and more personalized, automated actions to stay ahead of emerging threats. The Living Security platform is designed to guide organizations through this evolution, providing the tools and intelligence needed at each stage. Following a structured approach ensures that your efforts are focused, efficient, and aligned with the overarching goal of making your organization safer and more resilient.

Step 1: Assess and Identify High-Risk Areas

The first step in building any effective HRM program is to understand your starting point. You can't fix what you can't see. This initial phase is all about assessment and discovery. It involves gathering baseline data to "find out which jobs and people are at highest risk." This means looking beyond a single data point, like phishing click rates, and creating a holistic view by correlating information about user behaviors, their level of access to sensitive systems, and the specific threats targeting your organization and industry. This comprehensive assessment provides a clear, prioritized map of your human risk landscape, showing you exactly where to focus your initial efforts for the greatest impact.

Step 2: Focus on Critical Behaviors like Threat Reporting

Once you've identified your high-risk areas, the next step is to focus on changing the most critical behaviors. While many behaviors contribute to security, it's essential to prioritize. As security experts at Hoxhunt recommend, you should "make reporting threats the #1 goal." Encouraging and enabling employees to report suspicious emails and activities is one of the most impactful changes you can make. This behavior transforms your entire workforce from potential victims into a powerful, distributed threat detection network. Other critical behaviors to target early on might include proper data handling, strong password practices, and vigilance against social engineering.

Step 3: Monitor, Measure, and Reinforce

Human Risk Management is not a "set it and forget it" initiative. It is a continuous loop of action, measurement, and refinement. After implementing interventions, you must "keep an eye on security numbers and trends to see what's working." This means constantly monitoring your outcome-driven metrics to gauge the effectiveness of your program. Are threat reporting rates increasing? Are people falling for simulated attacks less often? This data provides the feedback needed to reinforce what works and adjust what doesn't, ensuring that your program evolves and adapts to your changing risk landscape and drives lasting behavior change.

The HRM Maturity Model

To help guide this journey, it's useful to have a roadmap. A maturity model provides a framework for assessing the current state of your HRM program and charting a clear path forward. It outlines the key stages of development, from a basic, compliance-focused program to a fully optimized, predictive one. Using a model allows you to benchmark your progress, identify gaps, and set realistic goals for improvement. To help your organization get started, you can use the Living Security Human Risk Management Maturity Model to evaluate where you are today and plan your next steps toward a more proactive and data-driven security culture.

How Data Reveals Your True Human Risk

It’s data that drives change, because it’s data that creates awareness. Simply knowing that glasses keep getting broken isn’t enough. You need to harness the power of the data your organization is already generating so that you can identify the areas where additional training and support is needed. Once you know it, once you see it, you can do something about it. 

Correlating Behavior, Identity, and Threat Data

A failed phishing simulation tells you an employee clicked a link, but it doesn't tell you the whole story. Without more context, you can't accurately gauge the potential impact. Does that employee have access to critical systems? Are they being actively targeted by threat actors? Answering these questions is the difference between a reactive and a truly predictive security posture. This is where a modern Human Risk Management program moves beyond simple awareness. By correlating data across user behavior, identity and access, and real-world threat intelligence, you can build a complete picture of risk. This integrated view helps you identify not just risky individuals, but the specific people whose combination of behavior, access, and targeting poses the greatest threat to the organization. It allows your security team to move from broad-stroke training to precise, data-driven interventions that actually prevent incidents before they happen.

Tailored Training That Actually Changes Behavior

The core of Human Risk Management is in the human element, and we believe that means training can spark curiosity, awaken playfulness, and actually (brace yourselves) be fun. Through virtual escape rooms, games, and training sessions that aren’t outdated powerpoint presentations from 1997, you can not only empower your employees, but get them excited to learn more, do more, and be more.

Plus, by identifying the employees or departments that present the most cyber risk to your organization, you can give them specifically tailored action plans, including training specifically focused on the areas that are most detrimental to their risk scores. By using a Human Risk Management approach to quantifying your organization’s human risk and working directly with the groups that present the most risk with relevant & engaging cybersecurity training, your entire workforce can then become security experts. ool. You can see examples of this type of engaging training, which has proven to lead to a 16X increase in employee engagement, on our content page.

A Unified Platform for Human Risk Management

Living Security Unify Insights brings it all together. The industry is changing, and companies have the unprecedented opportunity to work with their data to develop responses ahead of incidents, using data that they already have on hand. Unify Insights provides one place and one dashboard which makes it easy to create actions to address your highest risk segments and behaviors. With this knowledge, security leaders can tailor programs for specific groups and up-level their security awareness and improve their risk profile, empowering you to transform your workforce into your strongest security asset, directly mitigating cyber attacks. 

Human Risk Management is poised to disrupt this field in a big way. Don’t get left behind, and don’t waste your time and your money with after-the-fact stopgaps that just don’t fit. After all, I think we’d all appreciate a bit less broken glass all over the place. Clean it up, make it safe, and get smarter, with Living Security Unify Insights.

Predicting and Preventing Risk with an AI-Native Platform

Harnessing your organization's data is the first step, but a truly proactive security posture requires moving beyond analysis and into prediction. This is where an AI-native platform changes the game. Instead of just showing you what happened, it uses predictive intelligence to show you what is *likely* to happen next. By continuously analyzing hundreds of real-world signals, this type of system can identify risk trajectories before they lead to an incident. It represents a fundamental shift from the old "detect and respond" cycle to a modern "predict and prevent" model, allowing security teams to get ahead of threats.

This predictive power comes from correlating data across three critical pillars: human behavior, identity and access, and active threats. An AI-native Human Risk Management platform doesn't just look at who failed a phishing simulation. It also assesses who has elevated access to sensitive data and who is being actively targeted. The platform's AI guide, Livvy, synthesizes these data points to provide clear, evidence-based recommendations. It explains *why* a specific person or AI agent poses a risk and suggests tailored actions, from micro-training to policy adjustments, enabling you to prevent incidents before they occur.

Frequently Asked Questions

How is Human Risk Management different from the security awareness training we already do? Think of it as the difference between a fire drill and a fire prevention plan. Traditional security awareness training is often a reactive, compliance-driven drill that checks a box. Human Risk Management (HRM) is a proactive, strategic plan designed to prevent the fire from starting. It uses data to understand why risks exist and focuses on measurable behavior change to reduce those risks, rather than just tracking who completed a course.

What kind of data is needed for an effective HRM program? A strong HRM program moves beyond a single data point, like phishing click rates. It builds a comprehensive risk picture by correlating data from three key areas: user behavior (like security training performance), identity and access (who has keys to sensitive data), and real-world threat intelligence (who is being targeted by attackers). This integrated view is what allows you to see not just who is acting risky, but who poses the greatest potential impact to the business.

Our biggest challenge is getting buy-in. How does HRM help prove its own value to leadership? HRM is built on outcome-driven metrics, which is exactly what leadership wants to see. Instead of reporting on training completion rates, you can present board-ready data that shows a measurable reduction in risk. You can demonstrate a lower rate of successful phishing simulations, faster threat reporting times from employees, and a quantifiable decrease in incidents tied to human action. This shifts the conversation from security as a cost center to a strategic function with a clear return on investment.

You mention that a small number of users cause most of the risk. How does HRM address this without creating a culture of blame? This is a critical point. HRM isn't about singling people out for punishment; it's about providing focused support where it's needed most. By identifying individuals with a higher risk profile, you can provide them with personalized, timely interventions, like a micro-training on a topic they struggle with. This approach is more efficient than one-size-fits-all training and fosters a supportive culture that recognizes security mistakes are often symptoms of a process gap, not a personal failing.

How does an AI-native platform change how we manage human risk? An AI-native platform transforms your program from reactive to predictive. Instead of just analyzing past events, it uses AI to analyze hundreds of real-time signals to forecast where the next incident is likely to occur. It can identify a user whose behavior, access levels, and threat exposure create a high-risk trajectory and then guide your team with specific, evidence-based recommendations to intervene before a breach happens. It allows you to get ahead of threats in a way that manual analysis simply can't.

Key Takeaways

• Focus on risk reduction, not just compliance: Move beyond generic, check-the-box training and adopt a strategy that measurably changes employee behavior to reduce security incidents and protect your organization.
• Gain full visibility by correlating data: Understand your true risk landscape by analyzing data across employee behavior, identity and access, and active threats. This integrated view reveals vulnerabilities that isolated metrics miss.
• Prioritize your efforts on high-impact risks: Identify the small group of individuals who pose the greatest threat and deliver targeted, personalized interventions. This focused approach is more efficient and effective than one-size-fits-all training.

Related Articles

• AI-Powered Human Risk Visibility Demo: What to Expect
• What Are AI-Powered Security Remediation Platforms?
• AI-Driven Security Behavior Analytics: A Guide
• AI Workforce Risks & Human Risk Management Strategies | Living Security
• AI for Employee Security Behavior: A Complete Guide