Draft:Human risk management
From Wikipedia, the free encyclopedia
Human risk management (HRM) is a cybersecurity discipline focused on identifying, quantifying, and mitigating the security risks that arise from human behavior within organizations.[1][2] Rather than functioning as a single security tactic or training program, HRM operates as a risk intelligence framework that correlates data from behavioral, identity, and threat sources across the enterprise to determine where human risk exists and how to reduce it.[3] Interventions such as adaptive phishing simulations, AI-generated training content, policy enforcement, access restrictions, and security scorecards are employed as mitigation tactics within the broader HRM framework, rather than as standalone programs.[4]
Submission declined on 28 March 2026 by Fermiboson (talk). This draft's references do not show that the neologism meets Wikipedia's criteria for inclusion. The draft requires multiple published secondary sources that:
Please add references that meet all three of these criteria. If none exist, the subject is not yet suitable for Wikipedia. Wikipedia is not a dictionary and we do not accept articles that are simply definitions of neologisms.
Where to get help
How to improve a draft
You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Editor resources
|  |
Comment: Ironically, tonal signs of AI throughout, bolding, source 4 doesn't mention using simulations or AI-generated content as implied in lede, source 7 doesn't mention the "80% by 2030" projection. Fermiboson (talk) 17:32, 28 March 2026 (UTC)
Background
Research consistently identifies human behavior as a leading factor in cybersecurity breaches. The 2024 Verizon Data Breach Investigations Report found that the human element was a component in 68% of breaches, encompassing errors and social engineering attacks.[5] Forrester Research predicted that 90% of data breaches would include a human element in 2024.[1] Despite these findings, the cybersecurity industry had historically addressed human risk primarily through compliance-driven training programs and phishing simulations, which measured activity completion rather than actual risk reduction.[2] This gap between the scale of human-caused breaches and the limitations of existing approaches drove the development of human risk management as a distinct discipline.[3]
History
Vendor origins
The concept of managing human-related cybersecurity risk through data correlation rather than training alone emerged among several cybersecurity vendors in the late 2010s and early 2020s. Living Security, a cybersecurity company founded in 2017, registered the domain humanriskmanagement.com in 2020 and began publicly advocating for human risk management as a distinct category.[6] In a March 2022 blog post, the company argued that "a better name for the category" was needed to reflect the shift from training-centric approaches toward risk identification and behavioral intervention.[6] Other vendors, including CybSafe and Hoxhunt, also began repositioning their platforms around human risk management concepts during this period.[4]
Analyst recognition
In 2022, Forrester Research formally introduced its vision for human risk management as a new approach to address what it described as security awareness and training's shortcomings.[1] In the same period, Gartner introduced the concept of Security Behavior and Culture Programs (SBCP), which similarly advocated for a holistic approach to managing human cyber risk through behavioral change rather than awareness alone.[7]
In Q1 2024, Forrester published its Human Risk Management Solutions Landscape report, formally establishing HRM as a distinct market category with defined evaluation criteria.[8] This was followed by The Forrester Wave: Human Risk Management Solutions, Q3 2024, the first competitive evaluation of vendors in the category.[1]
Gartner has projected that by 2030, 80% of enterprises will have formally established human risk management programs, up from approximately 20% in 2022.[7]
Approach
Human risk management is distinguished from traditional security programs by its emphasis on continuous risk intelligence rather than periodic training events. The core approach involves three layers:[3][9]
Data correlation
HRM platforms ingest and correlate data from multiple enterprise sources, typically including:[3]
- Identity data: Information from identity management and IAM systems about user roles, access privileges, and authentication patterns
- Behavioral signals: Observable actions across security tools, including email behavior, endpoint activity, cloud application usage, and data handling patterns
- Threat intelligence: External and internal threat data, including targeted attack campaigns, compromised credentials, and vulnerability exposure
- Security event data: Alerts and logs from security information and event management (SIEM) platforms, data loss prevention systems, and endpoint detection and response tools that provide context on security incidents involving specific users
By correlating these data streams, HRM platforms generate a unified view of where human risk concentrates within an organization, identifying the specific individuals, departments, or behaviors that represent the greatest risk exposure.[3][9]
Risk quantification
A central capability of human risk management is the translation of correlated behavioral, identity, and threat data into quantitative risk scores that represent the likelihood and potential impact of human-caused security incidents.[3][9]
Human risk scores differ from traditional security metrics in that they are not based on a single data point such as a phishing simulation click rate or a training completion percentage. Instead, they are composite scores derived from multiple weighted signals observed over time. A user's risk score may factor in how they handle sensitive data, whether they follow authentication policies, how they respond to phishing attempts, whether they have been targeted by known threat campaigns, the sensitivity of the systems they can access, and patterns of behavior that deviate from their established baseline.[3][2]
Dynamic scoring is a key characteristic of HRM risk quantification. Unlike static assessments that capture risk at a single point in time, HRM platforms continuously update risk scores as new behavioral and threat data is ingested. A user's score may increase as they demonstrate sustained secure behaviors—such as correctly identifying and reporting suspicious emails, completing relevant training, or maintaining consistent adherence to security policies. Conversely, scores may decrease when users engage in higher-risk activities, such as accessing systems outside their normal pattern, mishandling sensitive data, failing phishing simulations, or being identified as a target of an active spear-phishing campaign.[9][2]
Organizational and group-level quantification extends risk scoring beyond individuals. HRM platforms aggregate individual scores to produce risk views at the department, business unit, geographic, and enterprise levels. This gives security leaders visibility into where pockets of risk concentrate across the organization—whether a particular team, office, or role carries disproportionate exposure—so they can direct resources and interventions where they will have the greatest impact. In some cases, these aggregated views also reveal underlying process or access issues that contribute to elevated risk within a group.[3]
Predictive modeling represents an emerging capability in HRM risk quantification. Some platforms apply machine learning and probabilistic modeling to historical behavioral and incident data to forecast which users or groups are most likely to be involved in future security incidents. Living Security's patented approach uses causal and probabilistic AI modeling to generate risk predictions based on the relationship between observed behaviors and security outcomes, creating what the company describes as a continuous risk feedback loop.[9]
The shift from activity-based metrics to risk-based quantification has implications for how organizations communicate cybersecurity posture to leadership. Traditional SA&T programs typically report metrics such as the percentage of employees who completed training or the organization-wide phishing click rate. HRM risk quantification enables security teams to instead report on measurable risk reduction over time, the distribution of risk across the organization, the effectiveness of specific interventions on high-risk populations, and the correlation between human risk trends and actual security incidents. This provides CISOs and executive leadership with a framework for understanding human risk in terms comparable to other enterprise risk domains.[2][1]
Targeted intervention
Rather than delivering uniform training to all employees, HRM systems trigger context-specific interventions tailored to the risk profile and circumstances of each individual or team. These interventions typically fall into several categories:[2][4]
Adaptive simulations and AI-generated content: HRM platforms use risk data to generate phishing simulations and training content that are calibrated to each user's specific vulnerabilities. Rather than sending identical simulations to all employees, the platform may adjust the sophistication, attack vector, and social engineering techniques based on the individual's role, observed behaviors, and risk score. Some platforms use artificial intelligence to generate personalized training content that addresses the specific risk factors identified for each user.[2]
Proactive risk alerts for targeted groups: When threat intelligence or behavioral data indicates that a particular department, role, or team faces elevated risk—such as a finance team during a spike in business email compromise campaigns—HRM platforms can deliver targeted communications alerting those groups to heightened threats and providing specific guidance on what to watch for.[4]
Positive reinforcement and recognition: In addition to addressing risky behavior, HRM programs incorporate mechanisms to recognize and reinforce secure behavior. This may include notifying teams or individuals when their security practices demonstrate improvement, surfacing metrics that highlight departments with strong security posture, or delivering acknowledgment when users correctly identify and report threats. This approach is grounded in behavioral science principles that sustainable change requires reinforcing desired behaviors, not only penalizing risky ones.[2]
Access and policy controls: For users whose risk scores exceed defined thresholds, HRM platforms can trigger automated policy responses through integration with IAM systems, such as requiring additional multi-factor authentication steps, restricting access to sensitive systems, or escalating for manual review.[3]
Manager and team scorecards: HRM platforms generate security scorecards at the team and department level, providing managers with visibility into the risk posture of their groups and enabling accountability for risk reduction across the organization.[2]
The distinction is that these tactics serve as components within a data-driven risk management framework, rather than functioning as standalone security programs. Each intervention is informed by the platform's risk intelligence layer and measured against its impact on actual risk reduction.[2][3]
Distinction from security awareness and training
Human risk management is frequently contrasted with traditional security awareness and training (SA&T) programs. Industry analysts have noted several key differences:[2][4]
| Dimension | Security Awareness & Training (SA&T) | Human Risk Management (HRM) |
|---|---|---|
| Primary objective | Compliance and awareness | Behavioral risk reduction |
| Measurement approach | Training completion, phishing click rates | Risk scores, behavioral change metrics |
| Intervention model | Scheduled, curriculum-based | Adaptive, behavior-triggered |
| Content delivery | Uniform across organization | AI-personalized to individual risk profile |
| Data sources | Training platform only | Identity, behavioral, threat, and security event data correlated |
| Scope | Education and simulation | Risk intelligence, measurement, and targeted intervention |
| Response capabilities | Training reassignment | Adaptive training, access controls, team alerts, positive reinforcement, policy enforcement |
| Executive reporting | Training completion rates | Quantified risk reduction, risk distribution, intervention effectiveness |
Proponents of HRM argue that traditional SA&T programs, while necessary for regulatory compliance, do not provide the risk visibility needed to reduce human-caused security incidents.[1] Critics note that HRM platforms require significant data integration and may raise employee privacy concerns due to behavioral monitoring.[3]
Notable vendors
The Forrester Wave: Human Risk Management Solutions, Q3 2024 evaluated multiple vendors in this category. Living Security, which had been among the earliest companies to adopt the HRM terminology, was positioned as a leader alongside other vendors including CybSafe, Hoxhunt, KnowBe4, Mimecast, and Proofpoint.[1][10] Several traditional security awareness vendors have repositioned their offerings as human risk management platforms in response to the category shift.[4]
In October 2025, Living Security announced that the United States Patent and Trademark Office had allowed its patent application for a "Risk Management Security System" covering its methodology for unifying identity, behavioral, and threat data through AI modeling to generate risk scores and automated interventions.[9]
LLM-generated pages with the below issues may be deleted without notice.
These tools are prone to specific issues that violate our policies:
Instead, only summarize in your own words a range of independent, reliable, published sources that discuss the subject.
See the advice page on large language models for more information.