Why Human Risk Management is Now Critical in Cybersecurity

It’s no secret that human error still plays a significant role in data breaches - despite ongoing security and awareness training. But how do we finally disrupt this trend? The answer lies in a new approach to human risk management.

What is human risk management (HRM)? 

Human Risk Management (HRM) is a proactive cybersecurity approach that identifies, quantifies, and mitigates security risks stemming from human behavior. 

HRM supports Security Awareness & Training (SA&T) programs, expanding their impact to equip security teams and stakeholders with real-time awareness of each employee's individual cyber risk profile.

The shift to HRM: Why now?

Despite the popularity of SA&T programs, human-related breaches continue to rise, with Forrester predicting that 90% of data breaches in 2024 will involve human error. 

While Security Awareness & Training remains an essential component of a cybersecurity program, it alone can't address the full scope of human-related cyber threats. It's clear that SA&T must align with a larger, more proactive cyber risk management strategy.

Forrester recognizes the need for this critical change, as evidenced by its reclassification of SA&T under Human Risk Management in 2024.

Much like endpoint security evolved beyond traditional antivirus solutions, HRM builds on SA&T principles to deliver a more comprehensive and outcomes-driven cybersecurity necessity.

Why is human risk management important?

Human Risk Management is an important component of cybersecurity because human error is a major contributor of many breaches. In 2023, 74% of breaches involved a human element. Year after year, phishing, credential theft, and user error remain among the top attack vectors.

‍IBM's 2024 Cost of a Data Breach report confirms this, finding that stolen credentials were the initial attack vector in 16% of breaches- the most common IT environment entry point, followed closely by phishing at 15%. 

The chart below illustrates the persistent prevalence of data breaches caused by human error over time, highlighting the importance of a modified approach to human risk management programs.

Examples real-world data breaches tied to human factors

Behind every major breach, there's a human story. Here is a list of recent major cybersecurity events that exploited human vulnerabilities. 

These incidents prove that even companies with well-funded technical defenses can be crippled by a data breach linked to human error.

"Most cyber attacks begin by targeting a human weakness. Technology alone cannot accommodate for all human exploits in risk management programs."

- Phil Ross (CISO, UpGuard)

Why technology alone isn't enough 

While firewalls, antivirus, and encryption are essential, they can't fix poor judgment, bad habits, or lack of awareness. One study found that over 90% of employees knowingly engage in risky behaviors, such as reusing passwords or clicking suspicious links.

The rise of AI-driven cyber threats means traditional digital defenses are becoming easier to fool. Attackers now use Generative AI to create hyper-realistic phishing emails, deepfake audio to impersonate executives, and AI chatbots to personalize scam messages at scale. 

Deepfake-related phishing surged over 3,000% in 2023, and the World Economic Forum warns that AI-powered scamsare becoming more convincing than ever.

An HRM platform fills this defense gap by strengthening the human factor in cybersecurity—encouraging training participation, reinforcing ideal behaviors, and tracking insider threat activities—so employees become an active part of an organization's boundary defense system, even against AI-enhanced threats.

The Cost of ignoring human cyber risks

A single phishing email can set off a chain reaction of costly repercussions, including the activation of resource-heavy incident response plans, legal fines, lost customers, and long-term brand damage.

The 2013 Target breach, caused by the phishing of a third-party contractor, led to lawsuits, stock declines, and the CEO's resignation. More recently, the 2023 MGM Resorts cyber attack, enabled by social engineering a helpdesk employee, brought casino and hotel operations to a standstill.

The average cost of a data breach in 2024 was USD 4.35 million

IBM reports that "lost business" (downtime, customer churn, and reputational harm) is the biggest driver of breach costs, averaging $1.59 million per incident. The Colonial Pipeline attack, caused by a single compromised password, led to nationwide fuel shortages and economic disruption.

Regulatory and compliance risks

Cybersecurity is no longer just an IT concern. Regulators now hold organizations accountable. GDPR fines can reach 4% of global revenue or €20 million, whichever is higher, with penalties frequently imposed for phishing-related breaches, as evidenced by the Interserve Gourp Limited breach in 2020 (see timeline above).

In the U.S., SEC rules require public companies to disclose cybersecurity risk management strategies, including how they mitigate human risk. Compliance frameworks like NIST SP 800-53 and ISO 27001 also mandate security awareness training. 

Ignoring the human element doesn’t just weaken security, it increases legal and financial exposure.

Common human cyber risk mitigation strategies (and why they fail)

Most organizations attempt to address human cyber risk through a standardized model comprising security training, phishing simulations, and policy enforcement, but these traditional efforts alone often fall short.

Some common strategies for combating human-related security events include:

• Security Awareness & Training (SA&T): Employees complete annual or quarterly cybersecurity modules, primarily to meet compliance requirements. Because training events occur at a single point in time, this approach alone does not support real-time visibility into emerging human cyber risks.
• Phishing Simulations: While very helpful, these tests can become resource-intensive as they attempt to address the complete scope of phishing tactics. If not done thoughtfully, organizations can invest heavily but notice limited improvement in the company's overall personal security hygiene. 
• MFA and password policies: While authentication controls are critical, users could quickly lose patience and find workarounds—as evidenced by the MFA fatigue that led to Uber's breach.
• Risk assessments & compliance audits: Some organizations conduct annual risk assessments, but these static reports don't track how an employee's risk changes over time.

Despite billions spent on these programs, phishing clicks, malware infections, and policy violations remain persistent problems, security leaders often wonder if these efforts are making an impact.

Why these approaches fall short

Memory fades quickly

Security training is perpetually battling Ebbinghaus's Forgetting Curve, an information retention model that says people forget 90% of what they learn within a week without reinforcement.

Without continuous engagement, security training doesn’t translate into long-term behavior change.

Lack of engagement & relevance

Generic, one-size-fits-all security training does not resonate equally with all employees. The same security guidelines do not apply to developers and salespeople—developers require more technical training covering security coding practices, which is completely irrelevant to the sales staff. 

Broadening cybersecurity training to maximize workplace relevance often requires omitting advanced security knowledge that is beneficial for technical roles. As a result, some employees may remain security liabilities even after completing the training.

The SA&T market is projected to reach $10 billion by 2027, yet breaches keep rising. A SANS Institute study found that even with widespread security awareness programs, 74% of organizations still fell victim to phishing attacks. 

Measuring quiz completion rates doesn’t reduce risk—actual behavior change does.

- Masha Sedova (Human Risk expert)

It is important to note that security training does work. It remains one of the most effective tools for preventing human-related cyber incidents. However, this branch of internal risk mitigation must evolve with the fast-paced nature of the modern threat landscape, where AI advancements allow even the most novel hacker to create and deploy advanced social engineering attacks at scale.

Siloed security data

Most organizations lack a unified view of human risk. Phishing test results, IT logs, and HR data sit in disconnected systems, preventing security teams from seeing which employees pose the greatest risk. 

If an employee clicks multiple phishing emails, triggers antivirus alerts, or has access to sensitive financial data yet passes a cybersecurity quiz, fragmented security data would prevent a holistic view revealing the employee's need to be flagged as "high risk.".

For example, if an employee clicks multiple phishing emails, triggers antivirus alerts, and has access to sensitive financial data, they should be flagged as "high risk," but fragmented security data would prevent the holistic view required to see this..

A reactive, periodic approach

If an employee fails a phishing test in January, they might get a remedial video—but what happens when an actual attack occurs in July? Delayed, one-off interventions don't provide real-time reinforcement, leaving employees vulnerable.

Ultimately, traditional "train and test" approaches focus more on compliance than actual risk reduction. Organizations will see high-risk behaviors persist without reinforcement, role-specific engagement, and continuous monitoring. To truly mitigate human risk, security must move beyond awareness to active risk management.

The future of human risk management in business 

Security-driven organizations are moving beyond checkbox training to data-driven, behavior-focused human risk management (HRM). The future of HRM is defined by continuous monitoring, risk-based prioritization, real-time behavioral reinforcement, and deep security integration.

Continuous risk detection & monitoring

Traditional risk assessments provide only snapshots of risk exposure at a single point in time, which can result in a misleading report on your organization's actual human cyber risk exposure.

This data discrepancy is further expanded by failing to consider the complete spectrum of metrics influencing human cyber risk profiles—a characteristic of most traditional risk assessments, which include:

• Phishing interactions
• Security Awareness & Training participations
• Shadow IT or Shadow SaaS usage
• AI tool adoptions
• File-sharing activities

By integrating with IAM, email security, endpoint protection, and SIEM logs, Human Risk Management solutions offer continuous visibility across all human cyber risk attack vectors, giving you real-time awareness of your organization's evolving human cyber risk exposure.

An HRM platform helps security teams make informed decisions about specific human security practices impacting an organization's security posture. Consider the scenario of an employee interacting with multiple phishing emails in a given month—outside of a scheduled point-in-time risk assessment period. 

With an HRM platform properly integrated across all relevant human cyber risk insights, the event is immediately flagged, triggering instant interventions, such as sending an alert to the direct manager or flagging the employee as requiring additional SA&T. The result is real-time awareness of emerging human cyber risks.

A point-in-time risk assessment approach alone would not have detected this malicious activity or any other arising cyber threats until the next scheduled risk assessment.

Risk-based prioritization

Not all employees pose the same risk—a small subset often contributes disproportionately. In one study, 8% of users were responsible for 80% of security incidents. HRM identifies these high-risk individuals and tailors interventions accordingly.

Instead of blanket training, HRM assigns risk scores based on user behavior, such as frequent phishing clicks, failed MFA attempts, or security violations. Higher-risk users receive targeted coaching or stronger controls, while low-risk employees may require less frequent training.

Behavioral reinforcement

To combat the forgetting curve, consider implementing an HRM solution employing real-time nudges—timely, contextual prompts that reinforce secure actions at the moment of decision.

For example:

• If a user sets a weak password, they receive an immediate warning: "This password appears too weak, please choose a stronger one."
• Before clicking a suspicious link, a real-time alert might ask, "This email looks suspicious. Are you sure you trust it?"
• When plugging in a personal USB, a system alert notes: "External USB devices can introduce security risks—please scan for malware before accessing files."

Unlike traditional training, which tells employees what to do once a year, HRM coaches them in real-time. Security becomes a daily habit, not a one-off compliance task.

Integration with the security ecosystem

HRM doesn't replace existing security measures and tools—it enhances them. By integrating a Human Risk Management platform with IAM, SIEMs, email security, and endpoint detection tools, an HRM tool broadens human attack vector contextualization—creating a risk management strategy based on each employee's true cyber risk profile.

With HRM insights feeding into SIEM systems, correlating user risk data with broader security threats, it becomes possible to establish automated response triggers based on human risk signals, such as:

• High-risk users automatically receiving stricter MFA requirements.
• Increasing email filtering sensitivity for employees with repeated phishing failures.
• Automatic user session termination upon detecting high-risk activities, such as attempts to access unauthorized data or execute prohibited commands.
• Dynamically restricting or revoking access permissions for users exhibiting anomalous behavior or suspected account compromise.
• Automatically enrolling employees who exhibit risky behavior patterns into targeted security training or awareness modules.
• Initiating automated security alerts to SOC teams for immediate review when users access sensitive data outside regular working hours or from unusual locations.
• Temporarily limiting network access for users whose accounts appear to have been affected by recent credential breaches detected on the dark web.
• Automatically requiring password resets or identity verification steps for users exhibiting signs of account compromise, such as simultaneous logins from multiple locations.
• Triggering increased endpoint monitoring or isolation protocols on devices associated with repeated unsafe behaviors, like downloading unauthorized software or engaging in unsafe browsing habits.

The automation potential introduced by HRM tools eliminates manual processes, allowing security teams to act faster and focus their energy on cyber threat prevention rather than remediation.

How security leaders should manage human cyber security 

As cybersecurity threats evolve, managing human risk must become a core security priority—not just a compliance requirement. 

By continuously analyzing risk trends and behavioral patterns, HRM allows security teams to refine their approach over time, ensuring resources are focused where they have the most significant impact.

Here's how security leaders can embed Human Risk Management (HRM) into their strategy for long-term impact.

1. Treat human risk like any other cyber risk

Just as organizations track technical vulnerabilities, incident rates, and threat intelligence, they must quantify human risk. This means defining key metrics like phishing click rates, policy violations, and user risk scores—and reporting them alongside technical risk data to leadership and the board. 

What gets measured gets improved and human risk is no exception.

2. Build a security culture

Compliance training is necessary but not sufficient. A strong cybersecurity culture means employees feel responsible for cybersecurity and are not just obligated to complete training.

• Use real-world incidents, gamified challenges, and interactive training to make learning engaging.
• Encourage mistake reporting without punishment—so employees learn instead of fearing security.
• Partner with HR or leadership to make security a company-wide initiative, not just an IT function.

3. Implement continuous, role-based training

Organizations should shift to ongoing, bite-sized learning tailored to specific roles and risks.

• Developers need secure coding workshops, while finance teams need anti-fraud training.
• Executives require CEO fraud awareness and deepfake recognition.
• Incorporate real-world threats (e.g., AI-generated simulated phishing attacks), so employees recognize evolving tactics.

4. Integrate human risk into security operations

HRM should connect with existing security tools and not function in isolation. Security teams understand user risk by integrating phishing data, access logs, and security alerts.

• High-risk users can be automatically flagged for extra monitoring or stricter MFA.
• If users fail multiple phishing tests, their email filtering can be increased automatically.
• Security teams can automate interventions—ensuring timely responses to risky security behaviors.

5. Secure leadership buy-In & accountability

HRM requires executive support to succeed.

• Security leaders should educate the C-suite with clear data, case studies, and real-world examples.
• Set measurable targets (e.g., "Reduce phishing click rate by X% in 2024") and track progress.
• Encourage executives to lead by example—for instance, participating in phishing simulations.

6. Prepare for AI-driven threats

The next wave of attacks will use AI to bypass traditional security. Organizations must train employees to recognize AI-enhanced scams, like deepfake phishing and synthetic voice fraud.

• AI will also play a defensive role, helping analyze risky behaviors, auto-generate training content, and predict which users need intervention.
• Keeping HRM adaptive ensures security teams stay ahead of emerging threats.

How UpGuard can help you with human cyber risk mitigation

UpGuard simplifies Human Risk Management by tracking emerging threats across three major human cyber risk categories in real-time:

• User identities: Risks linked to compromised internal credentials
• Applications: Risks associated with shadow IT practices
• Data: Risks associated with sensitive data sharing

For a quick overview of how UpGuard can help you effectively manage human cyber risks, watch this video: