How to Lead a Culture Shift in Risk Management

Your security team sees it all. They have the dashboards, the risk scores, and the phishing click data. But does that intelligence ever leave the SOC? For most organizations, there's a massive disconnect between security data and the frontline managers who guide employee behavior. This gap makes meaningful change nearly impossible. A successful culture shift risk management program closes this loop. Living Security, a leader in Human Risk Management (HRM), translates complex risk signals into simple, actionable dashboards. This approach to human risk scoring turns passive data into an active tool for coaching and real risk reduction.

Think back to your very first job. Chances are, you didn’t look to the CEO for cues on how to show up every day—you looked to your manager. They set the tone. They told you what mattered. They gave you that nod of recognition when you got it right (and the side-eye when you didn’t).

Now fast forward to today’s workplace. We talk a lot about building a “security-first culture,” but here’s the truth: culture isn’t built in boardrooms or all-hands presentations. Culture is built in team meetings, daily standups, and those casual one-on-ones.

That’s why a recent workplace study hits so hard: 87% of employees say managers shape their daily work environment—making them the single most influential lever for cultural and behavioral change. If that’s true, then when it comes to human risk management, managers may be our most underutilized security asset.

This is exactly where the HRM Framework comes in. It’s designed to help program admins think holistically about the 16 categories of human risk—including emerging areas like AI—and connect them across process, technology, and people. By mapping human risk to recognized standards like NIST, the HRM Framework gives security teams the foundation to identify where culture needs reinforcement and how tools like Manager Scorecards can turn insights into action at the team level. The result is a stronger, more measurable security culture that extends through every manager and employee.

The Security Culture Blind Spot

Here’s the problem: security teams have all the dashboards and data, but managers—the people closest to employees—are often flying blind. They don’t know which team members are making good security choices and which ones are putting the company at risk.

It’s a bit like a coach trying to improve a team’s performance without ever seeing the game tape. You can run more drills, but if you don’t know who’s dropping the ball, you can’t fix the problem.

Defining Culture, Culture Risk, and Risk Culture

To fix the problem, we first have to define it. According to Deloitte, culture is "the system of values, beliefs, and behaviors that shapes how things get done inside a company." It’s the unwritten rules of the road that guide employee actions when no one is looking. Culture risk emerges when there's a gap between the company's stated values and what people actually do. For security teams, this is where the danger lies. You can have the best security policies in the world, but if the prevailing culture doesn't reinforce them, they become ineffective, creating a significant blind spot in your defense.

The Broader Business Impact of a Poor Culture

A weak security culture isn’t just a security problem; it’s a business problem. When secure behaviors aren't ingrained in the daily workflow, the consequences ripple across the entire organization. As Deloitte notes, a poor culture can lead to a host of issues, including "sensitive information being mishandled, projects failing, or customers not being loyal." In security terms, this translates to data breaches, regulatory fines, operational downtime, and a loss of customer trust. It proves that managing human risk isn't just about preventing clicks on phishing links; it's about protecting the company's bottom line and reputation from preventable threats.

Structuring Your Approach: Enterprise Risk Management (ERM)

So, how do we move from simply talking about culture to actively managing it? The answer lies in adopting a structured, disciplined approach. For decades, organizations have used Enterprise Risk Management (ERM) frameworks to manage financial, operational, and strategic risks. An ERM framework provides "a planned way to find, check, deal with, and watch risks across an entire company," giving leaders a complete view of their risk landscape. This same methodology is perfectly suited for tackling human risk. Instead of relying on ad-hoc training campaigns, applying an ERM mindset allows security leaders to systematically identify, measure, and mitigate risky behaviors with precision.

This is the foundation of Human Risk Management (HRM), as defined by Living Security. It elevates the conversation from awareness activities to a strategic risk function. By aligning with established ERM principles, security teams can build a defensible program that not only changes behavior but also demonstrates clear, measurable risk reduction to the board. It’s about treating human risk with the same rigor as any other critical business risk, using a data-driven foundation to make it visible, measurable, and actionable. This structured approach ensures that efforts are targeted, efficient, and directly tied to business outcomes, moving security from a cost center to a strategic enabler.

What is an ERM Framework?

An ERM framework is more than just a set of guidelines; it's a comprehensive system for integrating risk management into an organization's core strategy and governance. Well-established models like the COSO framework provide a structured approach that helps organizations manage risk from the top down. Instead of addressing risks in isolated silos, these frameworks create a holistic view, ensuring that risk management is a continuous and embedded part of decision-making at every level. By adopting such a framework, you create a common language and a consistent process for managing all types of risk, including the complex and dynamic nature of human risk.

The Four Pillars of an ERM Framework

Most ERM frameworks are built on four essential pillars that create a continuous cycle of risk management. According to risk management experts, these pillars are Risk Identification, Risk Assessment, Risk Response, and Risk Monitoring & Reporting. Together, they form a logical and repeatable process for understanding and controlling an organization's risk exposure. When applied to the human element, these pillars provide a powerful structure for building a mature Human Risk Management program that moves beyond simple awareness and drives real behavioral change across the enterprise.

Risk Identification

The first step is to "find all the different risks," from cyber and financial to operational threats. In the context of human risk, this means looking beyond the obvious, like phishing susceptibility. It involves identifying a wide spectrum of risky behaviors, such as improper data handling, poor password hygiene, unauthorized software use, and unsafe interaction with generative AI tools. A modern approach requires correlating data across multiple sources, including employee behavior, identity and access systems, and real-time threat intelligence, to get a complete picture of where vulnerabilities exist within your workforce.

Risk Assessment

Once risks are identified, the next step is "figuring out how likely a risk is and how much it could hurt." This involves quantifying human risk to prioritize what matters most. Which employees, departments, or roles pose the greatest potential threat? Which behaviors could lead to the most significant business impact if exploited? An effective assessment uses predictive intelligence, analyzing hundreds of risk indicators to understand not just who is risky now, but who is on a trajectory to become risky in the future, allowing you to intervene before an incident occurs.

Risk Response

After assessing the risks, you must decide on the appropriate response. This pillar involves "deciding what to do about a risk," whether that's avoiding, mitigating, transferring, or accepting it. For human risk, an effective response is rarely one-size-fits-all. It requires targeted, personalized interventions. Instead of broad-based annual training, the Living Security Platform can guide teams to act with precision, orchestrating actions like delivering adaptive micro-training, sending contextual nudges, or reinforcing policies for specific individuals or groups, all with human-in-the-loop oversight.

Risk Monitoring and Reporting

Finally, ERM requires "keeping an eye on risks and telling decision-makers what they need to know quickly." This is a continuous process, not a one-time event. For human risk, it means tracking the effectiveness of your interventions and measuring behavioral change over time. The goal is to provide actionable intelligence to the right people at the right time. This includes giving managers visibility into their team's risk posture and equipping CISOs with board-ready metrics that clearly demonstrate risk reduction and the program's overall business value.

Integrating a Formal Framework like COSO

By integrating a formal framework like COSO, organizations can ensure their approach to risk is comprehensive and aligned with overall business governance. This is precisely where Human Risk Management fits in. It applies the proven principles of ERM to the human layer of security, transforming it from a compliance-driven training exercise into a strategic risk management function. This structured approach allows security leaders to speak the same language as the rest of the business, demonstrating how proactive management of human and AI agent risk directly contributes to the organization's resilience and strategic objectives.

Changing the Game with Human Risk Management Visibility

That’s where Manager Scorecards come in. Instead of keeping insights locked away in security dashboards, scorecards put simple, actionable metrics in the hands of managers. They don’t need to be security experts—they just need to know how their team is doing and how to encourage progress.

And when managers have that visibility, magic happens:

• Contractors, once disengaged, start reporting phishing attempts at double the rate.
  
  
• Teams with USB port exceptions get the targeted coaching they need to reduce risky behaviors.
  
  
• Frequent travelers—an often-overlooked risk group—become more vigilant because their managers reinforce security before every trip.
  
  

This isn’t theory. Organizations are already seeing culture shift when managers step in as security coaches.

Connecting ERM to Human Risk Management (HRM)

Enterprise Risk Management (ERM) is the comprehensive strategy organizations use to handle all potential threats, from financial instability to operational failures. Historically, human risk was the fuzzy, hard-to-pin-down element in that strategy, often acknowledged but rarely measured with any precision. This is where Human Risk Management (HRM) provides a critical connection. Human Risk Management (HRM), as defined by Living Security, provides the structure to make human risk visible and measurable, allowing it to be fully integrated into an ERM framework. It’s about intentionally shaping the organization's "risk culture"—the shared attitudes and behaviors around risk. By turning abstract cultural goals into concrete actions and metrics, HRM transforms the human element from an unpredictable liability into a managed and resilient part of your overall defense strategy.

How Data Makes Human Risk Actionable

The real power in connecting HRM to ERM comes from making human risk truly actionable, and that requires data. Traditional security awareness efforts often felt like shouting into the void because they lacked the metrics to target the right people or prove their impact. This is why a data-driven foundation is essential. Living Security, a leader in Human Risk Management (HRM), shifts the paradigm by correlating data across three core pillars: employee behavior, identity and access systems, and real-time threat intelligence. This comprehensive analysis provides the critical context needed for action. It helps you see not just who clicked a phishing link, but which of those individuals also has access to sensitive data and is being actively targeted by threat actors. This is how you move from broad-stroke awareness campaigns to precise, risk-reducing interventions that protect the entire enterprise.

Leadership's Role in Driving the Culture Shift

While managers are the critical link to employees on the ground, a true and lasting security culture shift requires buy-in from the very top. Leadership doesn't just approve the budget; they champion the vision. They set the expectation that security is a shared responsibility, not just an IT problem. When senior leaders actively model and communicate the importance of security, it sends a powerful message that cascades through every level of the organization. This top-down reinforcement empowers managers and employees to make security a priority in their daily work, transforming it from a compliance checklist into a core business value.

The Critical Influence of Senior Leadership

Executive leadership is the catalyst for cultural transformation. According to research from Deloitte, "Leaders who actively shape their company's culture are more successful at reaching their business goals." This isn't just about meeting compliance mandates; it's about fundamentally protecting the business. The same report notes that smart leaders proactively address cultural risks before they escalate into a crisis that can damage the company's reputation and performance. By prioritizing a security-aware culture, senior leaders are not just managing risk. They are building a more resilient and competitive organization from the top down, where security is woven into the fabric of how business gets done.

The Evolving Role of the Modern Risk Manager

The role of the risk manager is also undergoing a significant transformation. It's no longer enough to simply manage tools and analyze data in a silo. As industry experts note, the modern risk manager must now "help people make decisions and make sure risk information is correct and reliable." This shift moves the role from a technical function to a strategic, people-centric one. The goal is to foster what the Institute of Risk Management defines as a healthy risk culture: one where shared values and understanding empower everyone to make smart, informed decisions about risk.

This evolution requires a new approach, one that moves beyond static reports and toward dynamic, predictive insights. Human Risk Management (HRM), as defined by Living Security, provides the data-driven foundation for this new role. By correlating signals across employee behavior, identity systems, and real-time threats, HRM platforms give risk managers the visibility they need to guide individuals and teams effectively. This allows them to transition from being compliance officers to becoming strategic advisors who actively shape and strengthen the organization's security posture, preventing incidents before they happen.

The Questions Managers Will Ask (and How to Prepare)

As soon as managers get their first team scorecard, they’ll ask: “Okay, what do I do with this?”

That’s your moment. Be ready with answers like:

• Start small. Focus on one or two high-impact behaviors at first.
  
  
• Talk about it. Use intranet posts, team huddles, or quick emails to keep security visible.
  
  
• Celebrate wins. Shout out individuals or teams that are moving the needle.
  
  
• Stay connected. Share feedback with the security team so improvements keep building.
  
  

Think of it as giving managers a playbook. The plays don’t have to be complicated—they just need to be consistent.

Manager Scorecards: A Catalyst, Not the Finish Line

Manager Scorecards are just one step in moving the needle on security culture. They give managers visibility and the ability to coach, but true culture change requires a bigger plan. It starts with setting a clear goal for improving security culture, then taking deliberate steps to engage managers, align with HR and communications, and measure progress along the way.

Here’s a high-level view of that journey:

• Set clear goals – define what “better security culture” looks like for your organization.
  
  
• Build dependencies – partner with HR and comms so the rollout feels consistent, fair, and aligned to company values.
  
  
• Prepare & setup – decide which behaviors to track, design the scorecards, and draft messaging.
  
  
• Execute with managers – launch the scorecards, provide talking points, and coach managers on how to use them.
  
  
• Avoid pitfalls – ensure data quality, avoid vague messaging, and set realistic expectations.
  
  
• Report the wins – measure improvements in team behaviors, spotlight success stories, and share results with leadership.
  
  

Scorecards are the catalyst—but the real change comes from embedding them into a step-by-step play that transforms how managers, employees, and security leaders work together to reduce risk.  For the detailed playbook on setting goals, executing each step, and measuring cultural impact, please reach out to your Customer Success Manager. 

Key Principles for Effective Risk Management

Moving from a reactive security posture to a proactive one requires more than just new tools; it demands a fundamental shift in strategy. Effective risk management is not about creating a culture of "no." It's about building a resilient organization where security is woven into the fabric of daily operations, enabling the business to move forward with confidence. This strategic approach rests on a few core principles that transform risk management from a compliance exercise into a powerful business enabler. By securing executive buy-in with clear financial metrics, breaking down internal silos for a unified view of risk, and strategically balancing risk mitigation with business opportunities, you can build a program that not only protects the organization but also propels it forward.

Human Risk Management (HRM), as defined by Living Security, provides the data-driven foundation for these principles. By correlating signals across employee behavior, identity systems, and real-world threats, an HRM program makes risk visible and measurable. This allows security leaders to move beyond simple awareness campaigns and implement targeted actions that change behavior and demonstrate clear value. The following principles are not just theoretical ideals. They are actionable pillars that, when supported by the right data and technology, create a robust and effective risk management framework that stands up to modern threats and empowers your teams.

Securing Executive Buy-In with Financial Impact

For too long, security has been perceived as a cost center. To change this narrative, security leaders must learn to speak the language of the business: finance. Translating risk into potential financial impact is the most effective way to get the attention and support of the C-suite and the board. As one report notes, "Boards and executives are much happier with their ERM programs when risks are measured using clear financial numbers." This clarity helps them align security initiatives with broader company goals. An HRM platform provides the quantifiable data needed to build this business case, showing how a reduction in risky behaviors directly correlates to a lower probability of costly incidents like data breaches or compliance fines.

Breaking Down Silos for an Integrated Strategy

Risk does not respect organizational charts. A threat can emerge from a behavioral pattern, an over-privileged identity, or an external attack, and often involves all three. Yet, many organizations still manage these areas in silos, leaving dangerous gaps in their visibility. A truly integrated strategy requires a unified view. As industry experts note, "A strong tool... can completely change how risk managers work and improve the whole company's culture." Living Security, a leader in Human Risk Management (HRM), achieves this by analyzing data across behavior, identity and access, and threat intelligence. This correlated insight breaks down silos, providing a single, comprehensive picture of human risk and fostering the collaboration needed for a proactive security culture.

Balancing Risk Reduction with Business Opportunity

The goal of risk management is not to eliminate all risk—it is to manage it intelligently so the business can innovate and grow. An overly restrictive security posture can stifle productivity and prevent the adoption of new technologies. The key is finding the right balance. A well-designed program "doesn't just lower risks; it helps leaders make smarter choices, balance risks with new chances, and make the company stronger for the long run." Predictive insights from an AI-native HRM platform make this balance possible. Instead of issuing blanket prohibitions, security teams can identify the specific individuals or roles most likely to introduce risk with a new tool or process and deliver targeted solutions, enabling progress without sacrificing security.

From Compliance to Culture

Security has spent years handing employees the equivalent of laminated “safety cards”—awareness modules, compliance trainings, check-the-box exercises. Important, yes. Memorable, not always.

But when you give managers visibility into human risk, the dynamic changes. Suddenly, security isn’t a once-a-year box to tick; it’s part of daily performance. Employees own their behaviors. Managers reinforce them. And security leaders finally have proof that culture is moving in the right direction.

Because at the end of the day, building a security-first culture isn’t about more dashboards in the SOC. It’s about the conversations happening inside teams, shaped by the leaders employees trust most.

Ready to see how Living Security is helping organizations make human risk a shared responsibility? Explore more at www.livingsecurity.com.

Frequently Asked Questions

How is this approach different from traditional security awareness training? Traditional security awareness training often focuses on annual, one-size-fits-all compliance requirements. This approach shifts the focus from compliance to continuous risk reduction. Instead of just checking a box, it provides managers with ongoing, specific data about their team's behaviors. This turns security into a regular conversation and a shared responsibility, rather than a once-a-year event that is quickly forgotten.

What kind of information does a Manager Scorecard actually show? A Manager Scorecard is not a complex security dashboard filled with technical jargon. Think of it as a simple, clear summary of a team's security posture. It highlights key risk areas and behavioral trends, such as susceptibility to phishing or patterns in data handling. The goal is to give managers an at-a-glance understanding of where their team is strong and where they need to provide coaching, all without needing a background in cybersecurity.

My managers are busy and aren't security experts. How can they effectively use this information? That's exactly the point; they don't need to be security experts. The platform is designed to translate complex risk signals into simple, actionable insights. We provide managers with a playbook and clear talking points so they can feel confident starting conversations. Their role isn't to be a technical resource but to be a coach who reinforces the importance of secure behaviors during their regular team interactions.

How does Human Risk Management (HRM) fit into our existing Enterprise Risk Management (ERM) framework? Human Risk Management (HRM), as defined by Living Security, applies the proven, structured principles of ERM directly to the human layer of security. While your ERM framework provides the overall strategy for managing risk across the entire business, HRM provides the specific tools and data-driven methodology to make human risk visible, measurable, and manageable within that larger structure, treating it with the same rigor as any other critical business risk.

How do you measure the success of a culture shift risk management program? Success is measured through clear, quantifiable changes in behavior, not just training completion rates. We track metrics that demonstrate tangible risk reduction over time. This includes outcomes like a sustained decrease in phishing simulation clicks, an increase in employees proactively reporting suspicious emails, and improved data handling practices. These board-ready metrics show a direct correlation between the program's efforts and a stronger security posture for the organization.

Key Takeaways

• Activate managers as your primary security influencers: True culture change is driven by team leaders, not just top-down mandates. Provide them with simple, actionable scorecards to turn them into effective security coaches who can guide daily behaviors.
• Translate complex risk data into clear, actionable guidance: Security insights often stay locked within security teams. A successful program makes human risk understandable for non-security leaders, enabling them to address risky behaviors before they lead to an incident.
• Treat human risk with strategic discipline: Move beyond ad-hoc training by applying a formal Enterprise Risk Management (ERM) framework. This structured approach makes human risk visible and measurable by correlating data across behavior, identity, and threat intelligence.

Related Articles

• Manager Scorecards: The Key to HRM and Security Culture
• Operationalize Security Culture in 90 Days
• Human Risk Management: The Last Frontier in Cybersecurity
• Build a Resilient Workforce - 90 Day Human Risk Management Playbook
• Measure Cybersecurity Behavior for Lasting Change | Living Security