Security awareness training has been a cornerstone of cybersecurity programs for years — and it’s been effective. In 2021, the Verizon Data Breach Investigations Report found that 85% of breaches involved human mistakes like social engineering. Every year since then the number has dropped: 82% in 2022, 74% in 2023 and 68% in 2024.
Despite this positive momentum, many organizations are hitting a plateau in their training effectiveness. After all, nearly seven out of ten breaches are still connected to employees. Education is essential, but there will always be a crucial gap between security knowledge and actual behavior — one that traditional awareness approaches alone struggle to bridge.
As someone who’s worked extensively with security leaders, I’ve observed this challenge firsthand. Our approach must evolve to match today’s threat landscape and workplace dynamics.
Understanding the behavioral security gap
Think about driver’s education. We all learn the rules of the road, but knowing those rules doesn’t automatically translate to perfect driving behavior. We might speed up to get through a yellow light or check our phones despite knowing the risks. Similarly, employees often know security best practices but may circumvent them to accomplish immediate goals.
This reality is costly. IBM reports that security incidents stemming from human actions typically take over 200 days to identify and contain, making them among the most expensive breaches organizations face. We must move beyond simply making employees aware of security practices to actively supporting and reinforcing secure behaviors in real time.
The evolution of human risk management
Human risk management represents the natural evolution of security awareness programs. Rather than replacing traditional awareness training, it builds upon that foundation by connecting security education directly to real-world behaviors and risks.
The core difference lies in monitoring, measuring and mitigating human risk. Instead of relying solely on simulated phishing tests or annual training completion rates, human risk management integrates with your existing security stack, from email security to DLP solutions, to provide visibility into actual employee behaviors and security events.
Here are some of the critical components of human risk management:
- Behavioral insights: Understanding people’s thinking and behavior is crucial to effective security awareness. By leveraging behavioral science principles, organizations can design training programs that resonate with employees and motivate them to adopt secure behaviors.
- Data-driven decision-making: By analyzing data from various sources, such as security logs, incident reports and user behavior analytics, organizations can identify trends and patterns. This data-driven approach allows for more targeted and effective training interventions.
- Continuous learning and adaptation: The cybersecurity landscape is constantly changing. To stay ahead of threats, organizations must adopt a continuous learning approach. This involves providing regular updates, conducting frequent training sessions and using real-world examples to illustrate potential risks.
- Empowering employees: Employees are often the first line of defense against cyber threats. Organizations can create a security awareness culture by empowering them with the necessary knowledge and tools. This includes providing clear guidelines, encouraging open communication, and recognizing and rewarding secure behavior.
Creating a culture of security accountability
The goal isn’t to catch employees doing something wrong. It’s to empower them to make better security decisions. Employees receiving immediate, relevant feedback tied to their work activities are more likely to understand and internalize secure behaviors.
For example, if an employee triggers a DLP alert by sending sensitive data to a personal email, a human risk management approach would immediately provide a quick reminder about data handling policies. This just-in-time guidance is more effective than waiting for the next annual training session.
Breaking down operational silos
One of the most significant advantages of human risk management is the ability to unite traditionally separate security functions. Security operations teams often operate independently from governance, risk and compliance (GRC) and training teams, leading to disconnected efforts and missed opportunities for improvement.
Integrating security alerts with training initiatives creates a feedback loop that benefits both sides. The security operations center (SOC) team’s insights inform training content, while practical training reduces alert volume. This integration helps demonstrate concrete ROI through measurable reductions in security incidents.
Benefits across the organization
By breaking down these silos and fostering collaboration between security operations, GRC and training teams, organizations can achieve a more holistic and effective approach to security. This unified approach leads to several benefits across organizations.
For CISOs and security leaders, human risk management provides:
- Unified visibility across security awareness and operations
- Clear metrics showing behavioral change impact
- Reduced alert volume as employee behaviors improve
- Better allocation of security resources
For employees, the benefits include:
- Less interruption from lengthy training sessions
- More relevant, contextual security guidance
- Greater understanding of how their actions affect security
- Improved ability to self-regulate security behaviors
For security operations teams, it helps:
- Reduce alert fatigue through better user behavior
- Focus resources on genuine threats rather than user mistakes
- Create stronger alignment with awareness and compliance teams
Starting your human risk management journey
If you’re considering evolving your security awareness program toward human risk management, here are some practical first steps:
- Start a dialogue between your security operations and awareness teams. Understand what alerts they’re seeing and which human behaviors are creating the most security noise.
- Look at your existing security stack. Many organizations already have the tools needed to gather behavioral insights. They just need to connect and analyze the data differently.
- Focus on culture change. Position human risk management as an enhancement to help employees work more securely rather than another layer of restrictions.
- Start small and iterate. Choose one or two key behaviors to focus on initially, measure the impact and expand from there.
Remember, this is a journey, not a destination. The goal is continuous improvement in your security culture, not perfection overnight. By cohesively bringing together awareness, operations and behavioral change, we can build more resilient security programs that work with, not against, human nature.
About the Author
Bret Fund is the SVP and General Manager of Infosec, a Cengage Group company, where he focuses on helping organizations and individuals build a culture of cybersecurity and close their skills gaps. Prior to this role he was SVP of Alternative Credential Products at 2U where he focused on driving growth and profitability for the products in his portfolio. In previous roles he was the VP of Education at the Flatiron School, where he oversaw the program development and operations for their consumer and enterprise facing products, and the Founder and CEO of SecureSet, an immersive education company focused on educating the next generation of cybersecurity professionals. Before that, he was an Assistant Professor of Management and Entrepreneurship at the University of Colorado in Boulder.
Bret can be reached online via LinkedIn and at our company website: https://www.infosecinstitute.com/
