TL;DR — Organizations have spent two decades treating human risk as a training problem. It’s not. It’s a business process and productivity problem. The shift from Security Awareness Training to Human Risk Management isn’t a product upgrade; it’s a fundamental rethink of what “managing people risk” actually means. And most organizations are nowhere near ready for what that actually requires.
Somewhere between 60% and 88% of breaches involve a human element, depending on whose data you trust. The Verizon DBIR has reported similar findings consistently. Stanford University puts it at 88%. IBM’s research found 74% of CISOs named human error as their top cybersecurity risk in 2024, up from 60% the year before.
These stats continue to be used provocatively, but we’ve known this for twenty years.
Pause for a moment, and ask yourself: of every dollar your organization spends on cybersecurity, what percentage goes toward meaningfully addressing the problem you just acknowledged is responsible for the majority of your risk?
Not on tools that detect the aftermath of human mistakes. Not on endpoint controls that kick in after someone clicked something.
On proactively, measurably reducing the likelihood your people will create the opening in the first place.
For many organizations, the percentage is tiny.
The other colloquialism we encounter in conjunction with the stats, “people are our best line of defense,” has never been overly plausible. That’s because—beyond SaaS tools and an occasional half-hearted effort to start a champions program—security practitioners have never invested enough in people to meaningfully support cyber risk reduction.
We built an industry genuinely sophisticated at chasing technical risk. And we’ve spent two decades running the same plays on human risk: buy a tool, assign training modules, run phishing simulations, report phish click and training completion rates to the audit committee, and if you remember before September, do a special event in October. Rinse and repeat annually.
That’s not a strategy. That’s a compliance exercise.
Why The Legacy Model Is Broken
Security Awareness Training (SAT), which the technology industry is quietly abandoning in favor of Human Risk Management (HRM), was built for a different era. The Computer Security Act made awareness training mandatory for federal employees back in 1987. Shortly after, NIST issued its first guidance. The field has largely looked the same ever since: one-size-fits-all modules, annual cadences, completion metrics, and a persistent, optimistic belief that if we just told people what to watch out for, they’d stop clicking on things they shouldn’t.
The belief was wrong, and we’ve always kind of known it. The data we're tracking solidifies that hunch every year.
Forrester formalized what many CISOs had privately concluded when they officially retired the SAT nomenclature in 2024, declaring security awareness training, despite becoming a $6 billion annual market, had delivered “marginal benefits” against the problem it was designed to solve. They weren’t wrong. Despite massive investment in awareness infrastructure, Business Email Compromise (BEC) losses hit $2.77 billion in 2024. Phishing remains a primary initial access vector. Senior executives who’ve sat through more security training than almost anyone are among the most targeted and most frequently compromised.
Training people to recognize every phishing variant has never worked because that’s not how human cognition operates. People under pressure, distracted, or in novel situations make decisions based on context and habit. They don’t recall training modules, especially when they’re rushed or reacting to clickbait scare tactics.
The awareness-action gap isn’t a content quality problem. It’s a fundamental misunderstanding of how behavior change actually happens.
Right now, the tech/tool industry is leading the shift to HRM. This might be problematic, because—shocker—technology alone is not going to magically prompt meaningful actions, better data, or insights. It might give you a more focused bullseye to shoot at, but it’s not going to pull the trigger on meaningful people and process changes within an organization.
HRM: What It Actually Is (and What Vendors Are Pretending It Is)
Human Risk Management is Forrester’s formal name for the category sitting between “teach people stuff” and “protect the organization from what people do.” Casual explanation aside, a more formal definition does matter: HRM quantifies individual human risk based on behavioral signals, contextual exposure, and security event data, then uses that intelligence to trigger targeted interventions, policy adjustments, and operational changes.
That last phrase is the one almost everyone skips! The technology won’t make those operational and business process changes for you.
Vendors are excited about the measurement piece, and it is genuinely useful. Platforms evaluated in the Forrester Wave for HRM can now track 250+ discrete behavioral signals, produce individual risk scores, and identify the users who represent disproportionate exposure. Research from the Cyentia Institute found just 10% of users account for 73% of risky actions. That’s a real insight with real operational value. If you know which 10%, you can stop applying uniform effort to everyone and start concentrating resources where they’ll actually matter.
But here’s what the vendor pitch leaves out: there will always be a top 10%. Even if you can transform the high-risk 10% into best-in-class, high-performing security savants (or just fire them), the next 10% will arrive.
If you take your highest-risk users and train them more aggressively, some will improve. Others will be replaced by previously moderate-risk users who now occupy the top of the distribution. You won’t have solved human risk; you will have trimmed the tail temporarily. The moment you stop applying pressure, the tail grows back. Further, the tools enable targeted training and real-time nudges, but they definitely don’t reengineer business processes and controls to make things easier for employees to do the right thing.
This is the limitation no one in the HRM vendor ecosystem wants to talk about at their booth: measurement without process change is just more sophisticated reporting.
The Missing Piece: Business Process Engineering
Here’s where I think the market conversation breaks down, and where the real work and transformation in human risk lives.
Think about what happened in the early days of Data Loss Prevention. Organizations deployed DLP tools expecting to flip a switch and stop sensitive data from leaving. What they discovered was years of accumulated human behavior that had shaped itself around broken or nonexistent data handling processes: finance teams emailing sensitive spreadsheets because the approved workflow was too slow; clinical staff sharing patient records via consumer file sync tools because internal systems couldn’t handle attachments over 25MB.
DLP didn’t just reveal data risk. It revealed the organization’s processes had been quietly conditioning its people to be insecure for years.
HRM, done well, will reveal the same thing.
When you identify your highest-risk user populations: e.g. your finance team, your M&A analysts, your clinical research coordinators, etc., you’re not just identifying people who need more training. You’re identifying populations whose day-to-day work creates risk that training cannot realistically eliminate. The accounts payable analyst who approves wire transfers manually isn’t an individual training problem... they have a workflow problem. The clinical operations coordinator who regularly shares large data files with external CROs isn’t a phishing awareness problem... they’re encountering a process design problem.
Business process re-engineering around high-risk populations (essentially making the secure path the easy path) is the only intervention producing durable risk reduction. Not because we’ve changed how people think about security, but because we’ve changed the system so secure behavior is what the workflow naturally produces.
This is not a new concept. In operations and safety, it’s called Human Factors Engineering, and industries like aviation, nuclear energy, and pharmaceuticals have used it for decades. Cybersecurity is late to the conversation, and many technical cyber program staff simply don’t have the skillset to design or drive process changes within the business they support.
What This Actually Requires
I want to be direct about something, because our industry tends to undersell the difficulty of what good HRM demands.
Real human risk reduction requires cybersecurity practitioners who can do something most of us weren’t trained to do: get genuinely curious about how work actually happens.
Our HRM industry challenges are not a technology problem. Buying a better HRM platform is a useful step. It is not the end-game solution.
Practically, 'getting genuinely curious' means sitting with the Accounts Payable team during month-end close; it means mapping the actual data flows in a clinical trial, not the ones documented in the policy. It means understanding why a finance director approved a $2M wire transfer from a Gmail account (not to assign blame, but to understand what made the scenario plausible enough for a smart professional to not question it).
It also requires skills the industry has historically treated as peripheral to “real” technical security work: human psychology, change management, process modeling, and organizational behavior. The CISOs who will lead on this aren’t necessarily the ones with the deepest technical backgrounds. They’re the ones willing to step out of the technical shell and engage with the business as a system, not just as an attack surface.
Only 28% of organizations currently combine both regular awareness training and continuous behavioral monitoring. The stat is a good indication of where the market is. Most organizations haven’t even cleared the baseline bar of HRM measurement, let alone moved on to the process design work.
A Framework Worth Naming: The Three Layers of Human Risk Maturity
I’ve been thinking about this as a three-layer model. Most organizations are stuck at Layer 1.
Layer 1: Compliance-Driven Awareness.
Key Actions: Annual training. Phishing simulations. Completion rates reported to the board.
Vibe Check: This satisfies regulatory requirements and creates the appearance of a program. It does not materially reduce risk.
Layer 2: Behavioral Measurement.
Key Actions: HRM platforms deployed. User risk scores established. Highest-risk populations identified. Targeted training interventions delivered to the users who need them most.
Vibe Check: This is genuinely better than Layer 1. It’s where most forward-thinking programs are headed. It’s also where most will stop, because Layer 3 is harder.
Layer 3: Continuous Process Redesign.
Key Actions: High-risk workflows identified and redesigned. Secure behavior becomes the path of least resistance, not the path of most effort. Cybersecurity practitioners embedded in business process improvement—not advising from a distance, but actively co-designing how work gets done.
Vibe Check: This is where human risk actually gets managed, not just measured.
Most organizations will buy technology that enables Layer 2 and call it an HRM transformation. The ones that will actually bend their breach probability curves are the ones willing to do the unglamorous, time-intensive work of Layer 3.
The Practitioner Gap
I’ll close with an irking aspect about how this category is evolving.
The HRM market is growing fast. Vendors are racing to add behavioral analytics, AI-driven interventions, and risk scoring to their platforms. Gartner and Forrester are writing waves, quadrants, and landscapes. CISOs are budgeting.
Meanwhile, almost no one is talking about whether our industry has enough practitioners who actually know how to do the process design work that makes any of this matter.
Process improvement is a discipline. Human factors engineering is a discipline. Organizational change management is a discipline. We don’t teach these things in security certifications. We don’t hire for them. We’ve built a workforce optimized for technical controls and compliance documentation, and we’re asking that workforce to do something fundamentally different.
The organizations getting ahead of this will be the ones either (1) developing and investing in this capability internally or (2) partnering with advisors who bring OCM experience to the table. Companies might need a platform recommendation, but they also need someone to stay in the room long enough to understand what’s actually driving behavior, and to help redesign the systems making their people less secure every day.
Human risk has been underserved for twenty years because it’s always hard work that didn’t come with a spec sheet or a module that magicked the concern away. HRM as a category gives us better tools to measure the problem.
Now we need to actually solve it.
Aaron Pritz is the CEO of Reveal Risk, a boutique cybersecurity consulting firm with specialty focus serving pharma, biotech, healthcare organizations and beyond. Reveal Risk’s Human Risk Management services help organizations move beyond awareness programs to measurable, behavior-driven risk reduction. If you’re ready to evaluate where your program actually stands, and what it would take to reach Layer 3 - reach out at info@revealrisk.com.
FAQ — For the Curious
Q: What’s the actual difference between Security Awareness Training and Human Risk Management?
SAT is about what people know. HRM is about what they do. SAT measures completion rates. HRM measures behavioral change and connects that change to actual risk reduction. SAT is a compliance exercise. HRM is a risk management discipline.
Q: If we deploy an HRM platform, isn’t that enough?
The platform is the measurement layer. Measurement without action is just more sophisticated reporting. The real value comes from using that measurement to drive process changes and targeted interventions, which requires practitioner capacity and business engagement that the platform itself cannot provide.
Q: Is HRM relevant to regulated industries specifically?
Extremely. Pharma, biotech, and healthcare organizations have regulatory requirements (HIPAA, GxP, SOC 2, FDA CFR Part 11) that explicitly demand effective human controls. But more importantly, these industries have complex workflows—clinical operations, M&A activity, CRO collaboration, financial approvals—that create concentrated human risk. That’s exactly the environment where Layer 3 process work pays off.
Q: How do we know if our current program is at Layer 1, 2, or 3?
Ask yourself one question: can you name the three business processes in your organization that create the most human risk, and tell me what you’ve done to redesign them? If you hesitated, or if the answer is really about training completion rates or phishing click rates, you’re at Layer 1. And that’s okay. It’s where most organizations are. The question is whether you’re planning to move.