People Criminally Underutilized: A Hidden Security Gap

The phrase "weakest link" has done more damage to cybersecurity than any single piece of malware. This outdated mindset creates a self-fulfilling prophecy, forcing employees into a passive, fearful role. By treating them as a problem to be contained, your people are criminally underutilized. You are ignoring a distributed network of human sensors capable of detecting subtle threats that your security stack misses. It’s time to activate this potential, shifting from a strategy of containment to one of empowerment and creating a resilient culture where every employee becomes a proactive defender.

People! People have been criminally underutilized in the fight against cybercrime. They have been ignored, misunderstood, blamed, shamed and virtually handicapped. This is a tragedy resulting from years of fear-based motivation, bad design, checkbox-security training, security theater and behavior management. 

But with training and careful design, the same culture you thought was apathetic becomes a resilient, intelligent human firewall. We’ve seen it, firsthand. 

Maybe you don’t believe me. I understand that, depending on the report, human error accounts for somewhere between 60-90% of security breaches across corporate America and around the world, resulting in huge financial losses. So it is only natural that there is a lot of talk about how to reduce human error, eliminate the ‘people problem’ and disarm all your ‘weakest links.’ 

Here’s the thing, though: there is increasing evidence that people are the best sensors for suspicious activity. When reports about suspicious emails go up, sophisticated phishing emails get caught at higher rates. When people report suspicious activity on their devices or network that machines can’t catch, response teams zero in on potential threats. And when people report suspicious behavior, they catch things video feeds can’t even find.

Identifying Criminally Underutilized Potential

The statistics are daunting, but they also reveal a massive opportunity. If human actions contribute to the majority of security incidents, then positively influencing those actions presents the single greatest lever for reducing organizational risk. This is the foundational idea behind Human Risk Management (HRM). Instead of viewing your workforce as a liability to be contained, an effective HRM program helps you see them as your most valuable security asset. The key is shifting from a mindset of blame to one of empowerment. By understanding the context behind risky behaviors, you can transform your team from a potential vulnerability into an active and intelligent line of defense, as noted by CISA's concept of building a cybersecurity culture.

So, how do you tap into this potential? It starts with data. Traditional security awareness programs often stop at phishing click rates or training completion, which only tells a fraction of the story. To truly understand risk, you need a more comprehensive view. Human Risk Management, as defined by Living Security, involves correlating signals across multiple sources to see the full picture. By analyzing data from employee behavior, identity and access systems, and real-time threat intelligence, you can identify not just who is acting in a risky way, but why. This data-driven approach allows you to move beyond generic campaigns and pinpoint the specific individuals, roles, and access levels that pose the highest risk to your organization before an incident occurs.

With this level of insight, you can finally get ahead of the problem. Instead of reacting to breaches, you can predict where they are most likely to happen. The leading Human Risk Management Platform from Living Security is built to do exactly this. It helps security teams predict risk trajectories, guide employees with personalized interventions like targeted micro-training, and act to reduce risk before it materializes into a costly incident. This proactive stance is critical. As reports from Verizon show, people are often the best sensors for suspicious activity. By equipping them with the right knowledge and tools at the right time, you empower them to become a proactive force for security, effectively turning your entire workforce into a distributed threat detection network.

Arm Your People

Bottom line? Arm your people for the war on cybercrime. You won’t regret it.

Here's how. Encourage your people to report...

• … unusual activity around internal file-sharing, deletion/modification of files or someone accessing files at weird hours or from unknown remote location;
• ... being locked out of an account or password attempts that weren’t initiated by the individual;
• … unusual database activity, including unexpected changes in permissions or rapid data growth;
• ... sudden changes in network activity like traffic coming from outside your network, protocol violations, and unauthorized scans;
• … unusual behavior of people or devices (e.g. unexpected virus notifications, system slowdowns, excessive pop-ups, etc);
• … and so much more specific to your place of work (or remote work)!

People are Part of the Solution, Not the Problem

I’m sure you’ve heard about “see something, say something.” And while it doesn’t help change behavior, it gets to the heart of the issue: people are part of the solution. 

Intuition tells people when something is wrong or at least out of the ordinary. And when they don’t report suspicious activity, sometimes it takes organizations > six months to detect a data breach! 

Make use of the best weapon you have. The human!

Lessons in Untapped Potential from an Unexpected Universe

The concept of overlooked value isn't unique to cybersecurity. It appears everywhere, even in the most unexpected fictional universes. Take the sprawling lore of Warhammer 40,000, a setting known for its massive, galaxy-spanning conflicts. Even here, fans point out rich, underutilized concepts that hold immense potential. These are factions, histories, and character types that exist in the background but could offer so much more if given the spotlight. It’s a powerful lesson in looking past the obvious front-line battles to find hidden strengths and strategic depth. This same principle applies when we evaluate the human element in our organizations; often, the greatest potential is the asset we've overlooked the most.

Underutilized Concepts in Warhammer 40,000 Lore

Within this complex universe, certain elements are consistently highlighted by fans as having untapped narrative potential. For example, the Necron Triarch Praetorians are ancient android guardians who observe battles from above, identifying honorable foes and enforcing ancient codes of combat. Instead of being mere soldiers, they act as strategic observers with a unique perspective. Similarly, the "New Kingdom" of the Thousand Sons faction represents a stable society built by psychic refugees, a stark contrast to the usual chaotic portrayal of their allegiance. These examples show that even in a universe defined by war, there are pockets of strategy, society, and nuance that are often left unexplored, much like the latent security potential within an organization's workforce.

The Necron Triarch Praetorians

The Praetorians are a fascinating case study in observation over brute force. They don't just charge into the fight. Instead, they hover above the battlefield, analyzing the flow of combat and identifying key threats or honorable opponents based on millennia-old directives. Their value isn't in their immediate destructive power but in their strategic oversight and their ability to change the rules of engagement. This is a perfect parallel to an engaged employee who, rather than just following rote procedures, can observe their digital environment, spot anomalies that automated systems miss, and provide the critical intelligence needed to neutralize a threat before it escalates.

The Thousand Sons' "New Kingdom"

Another compelling example is the stable empire being built by Magnus the Red and his Thousand Sons. In a universe where their faction is typically associated with destruction and madness, they are creating a sanctuary in real space for psychic refugees from the oppressive Imperium. This "New Kingdom" is a functioning society, a place of order and purpose amidst chaos. It demonstrates that even groups perceived as inherently dangerous or chaotic can possess the capacity for creation and stability. This challenges the one-dimensional view of risk and suggests that with the right structure and purpose, even perceived liabilities can become foundational strengths.

Eldar Exodites and Non-Human Genestealer Cults

The lore also contains entire sub-factions that are rarely seen, like the Eldar Exodites. These are space elves who rejected their empire's decadence to live on primitive worlds, riding dinosaurs and piloting unique war machines. They represent a completely different approach to survival and warfare. Likewise, the Genestealer Cults, known for infiltrating human societies, can infect any species, leading to the potential for bizarre and varied alien-hybrid organizations. These concepts show the immense diversity of threats and allies that exist just beyond the main narrative, reminding us that our understanding of risk must be flexible and account for unconventional scenarios and actors.

Overlooked Histories and Factions

Beyond specific units, entire historical periods and factions are ripe for exploration. The era immediately following the collapse of the ancient Eldar empire, for instance, was a time of immense struggle, adaptation, and innovation for the survivors. This period forged their modern identity, yet it's often glossed over in favor of current events. Focusing on these foundational moments reveals resilience and adaptability. It’s a reminder that understanding the history of how your team has adapted to past challenges can reveal inherent strengths that are crucial for facing future threats, turning historical context into a strategic asset for building a resilient security culture.

Unlocking the Potential of Second Chance Hiring

Moving from fiction to a powerful real-world example, the concept of second chance hiring provides a compelling case for re-evaluating perceived risks. In the United States, roughly one in three adults has a criminal record, creating a massive and often overlooked talent pool. For years, these individuals have been systematically excluded from the workforce, viewed primarily through the lens of their past mistakes. However, a growing body of evidence shows this perspective is not only outdated but also detrimental to business growth and economic stability. By shifting the focus from past records to future potential, companies are discovering a motivated, loyal, and high-performing segment of the workforce that was hiding in plain sight.

The Economic Impact of the Criminal Justice System

The scale of the U.S. criminal justice system has profound economic consequences that ripple through communities and the national economy. With the U.S. housing nearly a quarter of the world's prisoners despite having less than 5% of its population, a significant portion of the potential workforce is sidelined. This system disproportionately affects people of color, exacerbating wealth and equality gaps. The economic burden isn't just on the individuals; it's a systemic drag on the economy, limiting growth by excluding millions of capable and willing workers. Understanding this impact is the first step toward recognizing the immense opportunity that second chance hiring presents for both society and business.

The Scale of Incarceration and Criminal Records

The numbers are staggering. As the Brennan Center for Justice reports, about one-third of American adults have a criminal record. This creates a persistent barrier to stable employment, housing, and economic mobility for a huge portion of the population. This isn't a niche issue affecting a small group; it's a widespread challenge that effectively locks a significant talent pool out of the economy. For businesses, this means they are artificially limiting their access to skilled and motivated individuals. Recognizing the sheer scale of this untapped workforce is critical for any leader focused on talent acquisition and growth in a competitive market.

Employment and Earnings Challenges

A criminal record carries a severe and lasting economic penalty. The unemployment rate for formerly incarcerated individuals hovers around 30%, far exceeding the national average. For those who do find work, their earning potential is drastically reduced. According to research, time spent in prison can cut a person's annual earnings by more than half. This lost income doesn't just harm the individual; it reduces consumer spending, lowers the tax base, and increases reliance on social safety nets. It's a cycle of economic disadvantage that could be broken by providing stable, meaningful employment opportunities.

Disproportionate Impacts on Wealth and Equality

The criminal justice system's impact is not felt equally across all demographics. Black and Latino individuals are disproportionately represented at every stage of the system, from arrests to sentencing. This systemic inequity directly contributes to the persistent racial wealth gap. When a significant portion of these communities faces barriers to employment and reduced earnings due to past convictions, it becomes nearly impossible to build generational wealth. Addressing this disparity through fair hiring practices is not just a moral imperative; it's an economic one that can lead to a more equitable and prosperous society for everyone.

The Untapped Workforce: Second Chance Hiring

Despite the challenges, the data on second chance hiring paints a clear picture of opportunity. This is not about charity; it's about smart business. Companies that embrace second chance hiring are finding that these employees are not only capable but often outperform their peers in terms of loyalty and engagement. The U.S. Chamber of Commerce highlights that this talent pool is not just large but also highly motivated. By tapping into this workforce, businesses gain dedicated employees, reduce turnover costs, and contribute to stronger, safer communities. It’s a clear win-win scenario that challenges outdated assumptions about who makes a valuable employee.

A Significant and Motivated Talent Pool

The motivation within this talent pool is exceptionally high. Data from the U.S. Chamber of Commerce shows that over 93% of formerly incarcerated people between the ages of 25 and 44 are actively participating in the labor force, a rate higher than that of the general population in the same age group. This isn't a group of people who are disengaged; they are actively seeking the opportunity to work, contribute, and rebuild their lives. For employers struggling to find dedicated workers, this represents a significant and eager source of talent that is often completely overlooked by competitors.

Performance and Business Impact

Concerns about performance are quickly dispelled by the facts. The same U.S. Chamber of Commerce report found that 85% of HR leaders and 81% of business leaders say their second chance hires perform as well as, or even better than, other employees. These individuals often exhibit higher levels of loyalty and lower turnover rates, which translates directly into cost savings for the business. By giving someone a meaningful opportunity, companies are rewarded with a dedicated employee who is deeply invested in their role and the success of the organization. This is a powerful business case for looking beyond a background check.

The Role of Employment in Reducing Recidivism

Stable employment is one of the single most effective tools for reducing recidivism. When a formerly incarcerated person secures and maintains a job for just one year, their likelihood of returning to prison plummets from 52% to just 16%. This has a profound impact on public safety and community well-being. By hiring from this talent pool, businesses are not just filling a role; they are actively participating in creating a safer society and breaking the cycle of incarceration. This positive social impact also enhances a company's brand reputation and can be a significant factor in attracting both customers and other employees.

Policy Recommendations for a Stronger Workforce

To fully unlock the potential of this workforce, systemic change is needed. Advocacy groups and business leaders are pushing for policy reforms that remove unnecessary barriers to employment. These changes are not about lowering standards but about creating a fair system where individuals are judged on their qualifications and potential, not just their past. Policies like "ban-the-box," licensing reform, and bail reform are practical steps that can level the playing field and allow a huge segment of the population to re-enter the workforce, strengthening the economy and our communities in the process.

Ban-the-Box Laws

"Ban-the-box" initiatives are a crucial first step. These laws delay inquiries into an applicant's criminal history until later in the hiring process, giving them a fair chance to be judged on their skills and qualifications first. This simple change prevents qualified candidates from being automatically filtered out by an initial checkbox. It ensures that a conversation can happen and that hiring managers can make a more holistic and informed decision. This policy helps to remove the initial barrier that prevents so many from even being considered for a role.

Licensing and Bail Reform

Many professions require occupational licenses, and laws often automatically bar anyone with a criminal record from obtaining one, even if their past offense is completely unrelated to the job. Reforming these laws to allow for individual assessments would open up countless career paths. Similarly, abolishing cash bail, which often keeps people in jail before trial simply because they cannot afford to pay, would prevent individuals from losing their jobs and housing for minor offenses. These reforms focus on assessing actual risk rather than enforcing blanket punishments, ensuring people can remain productive members of society.

Alternatives to Incarceration

For many non-violent and less serious offenses, alternatives to incarceration can be far more effective and less destructive. Options like drug treatment programs, probation, and community service can address the root causes of criminal behavior without the devastating economic and social consequences of a prison sentence. By investing in these alternatives, we can keep more people in the workforce, reduce the strain on the justice system, and build safer communities. This approach focuses on rehabilitation and prevention, which ultimately creates a stronger and more resilient society.

The Underutilized Educational Pathway

The theme of overlooked potential extends directly to our educational system, where community college is often dismissed as a lesser option compared to a traditional four-year university. This perception is a significant miscalculation. For many, community college represents the single most efficient, high-ROI pathway to a stable, well-paying career. It offers a practical, affordable, and flexible alternative that equips students with in-demand skills without the crushing burden of debt that often accompanies a four-year degree. By ignoring or devaluing this pathway, we are overlooking a powerful engine for economic mobility and workforce development that is perfectly aligned with the needs of the modern economy.

The Case for Community Colleges

The argument for community college is grounded in practicality and results. In a time when the cost of higher education is skyrocketing, community colleges offer an affordable entry point. They focus on teaching practical, job-ready skills that are directly applicable in the current market, from skilled trades to technology. This educational model provides incredible flexibility, allowing students to either enter the workforce quickly with a valuable credential or seamlessly transfer to a four-year institution to continue their education. It’s a low-risk, high-reward option that deserves to be seen as a primary and strategic choice, not a backup plan.

A High-ROI, Low-Cost Option

The return on investment for community college is undeniable. As noted by industry observers like Adam Rossi, a two-year degree can cost as little as $6,000 in total. Compare that to the six-figure debt many students accumulate at four-year universities. This affordability means students can gain valuable qualifications without starting their careers in a deep financial hole. It allows them to begin building wealth and financial stability much earlier in life. For anyone looking at education from a practical, financial perspective, the high ROI of community college is impossible to ignore.

Developing In-Demand, Practical Skills

Community colleges excel at aligning their curriculum with the needs of the local job market. They partner with businesses to develop programs that teach the specific, practical skills employers are looking for right now. This can include everything from welding and nursing to cybersecurity and cloud computing. In many cases, specialized associate's degrees or certificate programs can lead directly to jobs paying well over $100,000 a year. This focus on tangible skills ensures that graduates are not just educated, but employable, providing a direct pipeline of talent into critical industries.

Flexibility for Workforce Entry or Further Education

One of the greatest strengths of the community college system is its flexibility. It serves as both an effective career launchpad and a stepping stone to further education. A student can earn an associate's degree in two years and immediately enter the workforce with a valuable credential. Alternatively, they can use the transfer pathway to complete their first two years of a bachelor's degree at a fraction of the cost before moving to a four-year university. This optionality gives students control over their educational and career journey, allowing them to adapt to their personal and financial circumstances.

Applying the Principle to Human Risk Management

These examples, from fictional universes to real-world social and educational systems, all point to the same powerful truth: immense potential is often hidden in plain sight, overlooked because of outdated assumptions or a narrow focus. This brings us back to the heart of modern cybersecurity. For too long, employees have been labeled the "weakest link," a problem to be managed or a liability to be contained. This perspective is fundamentally flawed. Your people are not a liability; they are your most criminally underutilized security asset. They possess intuition, contextual awareness, and an on-the-ground perspective that no automated tool can replicate. The key is to stop seeing them as the problem and start empowering them to be the solution.

From Underutilized Asset to Proactive Defender

Transforming employees from a perceived risk into a proactive defense layer requires a fundamental shift in strategy. It means moving beyond compliance-based, check-the-box training and creating a genuine security culture. It requires arming your people with the right knowledge, fostering an environment where they feel empowered to report suspicious activity without fear of blame, and giving them the tools to be an active part of your defense. When you do this, you don't just reduce human error; you activate a distributed network of human sensors that can detect and flag threats with remarkable accuracy, turning your entire organization into a resilient human firewall.

Shifting from a Reactive to a Predictive Stance

Traditional security is reactive; it waits for an alert and then responds. But an empowered workforce enables a predictive stance. When an employee reports a subtly unusual email that bypassed your filters, they are providing a predictive indicator of a new phishing campaign. This is the core philosophy behind Human Risk Management (HRM), as defined by Living Security. It’s about moving from detection to prediction. By analyzing signals from your people, you can identify emerging threats before they lead to an incident. This proactive approach, which treats human insight as valuable threat intelligence, is essential for staying ahead of sophisticated attackers.

Making Human Risk Visible and Actionable

To unlock this potential, you must first make human risk visible and measurable. This goes beyond simple phishing click rates. An effective Human Risk Management program requires correlating data across multiple pillars: employee behavior, identity and access systems, and real-time threat intelligence. This comprehensive view allows you to see not just what people are doing, but also what access they have and what threats are targeting them. This data-driven foundation transforms vague concerns about "human error" into a clear, actionable picture of your organization's specific risk landscape, enabling you to apply targeted interventions where they will have the greatest impact.

The Role of an AI-Native HRM Platform

This is where technology becomes a powerful enabler. Living Security, a leader in Human Risk Management (HRM), offers the leading AI-native HRM platform built to turn your workforce into a proactive defense. Our platform analyzes over 200 risk indicators to deliver a comprehensive view of human and AI agent risk. At its core is Livvy, your AI guide, which doesn't just show you data; it predicts emerging threats, guides your team with evidence-based recommendations, and acts autonomously to deliver targeted micro-training and policy nudges. By combining broad data visibility with intelligent, AI-driven action and human-in-the-loop oversight, we help you move beyond awareness and proactively reduce risk across your enterprise.

Frequently Asked Questions

How can people be an asset when statistics consistently show human error causes most breaches? That’s a fair question, and it gets to the heart of the issue. Those statistics don't show that people are inherently flawed; they show the result of a flawed strategy that treats them as a passive problem. When you only provide generic, check-the-box training, you get passive results. Human Risk Management (HRM) reframes this by treating human observations as a critical intelligence source. By understanding the context behind risky actions and empowering people to report anomalies, you transform them from a potential liability into your most effective and distributed sensor network.

My organization already does security awareness training. How is Human Risk Management different? Security awareness training is typically a one-size-fits-all annual event focused on compliance. Human Risk Management (HRM), as defined by Living Security, is a continuous and data-driven security strategy. Instead of just tracking who completed a training module, an HRM program correlates data from multiple sources, including employee behavior, identity and access systems, and real-time threat intelligence. This gives you a measurable, actionable view of risk, allowing you to deliver personalized interventions to the right people at the right time and proactively reduce risk before an incident occurs.

What does it practically mean to "empower" employees in cybersecurity? Empowerment in this context means moving beyond fear and blame. It involves creating a security culture where employees feel safe and encouraged to report suspicious activity, even if they are unsure. This is achieved by providing clear, simple reporting channels and showing that their vigilance leads to positive action. When an employee reports a strange email and understands how that helps the security team stop a potential attack, they become an engaged partner in your defense rather than just a target for attackers.

You talk about analyzing employee behavior and access. How does your platform address privacy? Privacy is fundamental to our approach. The Living Security platform is designed to analyze security-related risk signals from corporate systems, not to conduct personal surveillance. We focus on correlating data from identity platforms, security tools, and threat feeds to identify patterns that indicate risk, such as an account with excessive permissions being targeted by a phishing campaign. The goal is to understand and mitigate organizational risk, with all actions guided by strict data governance and human-in-the-loop oversight, keeping your security team in control.

What is the role of AI in your platform, and how is it different from other "AI-powered" tools? Our platform is AI-native, which means artificial intelligence is woven into its very fabric, not just added on. At the center is Livvy, your AI guide. Livvy analyzes over 200 risk indicators to predict emerging threats across both human and AI agents. It then provides your team with clear, evidence-based recommendations and can autonomously act to deliver targeted micro-training or policy nudges. Because Livvy is built on the world's largest HRM dataset, it moves beyond simple alerts to provide precise, proactive guidance that helps you prevent incidents.

Key Takeaways

• Activate Your Underutilized Workforce: Shift your perspective from viewing employees as a liability to seeing them as your most effective security sensors, capable of spotting threats that automated tools often overlook.
• Make Human Risk Measurable and Predictive: Go beyond basic awareness metrics by correlating data from employee behavior, identity systems, and threat intelligence. This comprehensive view allows you to predict where incidents will occur and act first.
• Leverage AI for Targeted Action: An AI-native HRM platform translates complex risk data into clear, actionable insights. Use this technology to automate routine responses and deliver personalized guidance, enabling your team to focus on high-impact threats.

Related Articles

• Beyond Cybersecurity: Choosing a Human Risk Management Platform
• Why Human Risk Management is Crucial for Security
• What Is Human Risk Management? Why Should Cybersecurity Pros Care?
• Human Risk Management: A Guide to Proactive Security
• Planning for a Future with Autonomous Co-Workers