eGuide

The CISO's Human Risk Management Playbook

Distinguishing Human Risk Management (HRM) criteria differs between analysts and vendors, but there are common threads. Learn what an HRM Platform is and how to execute an HRM program. It all starts with your greatest human cyber risk, phishing and social engineering.

Table of contents

About the author
Eliot Baker, Director of Content Marketing at Hoxhunt

share this guide

Introduction

2024 will go down as the Year of Human Risk Management. Finally enshrined as its own category, independent of Security Awareness Training (SAT), HRM promises to deliver greater return on investment than any other strategic security initiative.

Why? Because for cyber criminals, the human layer is where the money’s at: social engineering, phishing, and insider threats comprise the greatest risk for multi-million-dollar data breaches, according to IBM. And those threats are getting worse by the day in the age of AI, according to the Verizon DBIR.

Consequently, an HRM platform must be designed to reduce risk starting at its greatest source--social engineering and phishing. An effective HRM platform will produce measurable behavior change that reduces risk by connecting threat detection--recognizing and reporting phishing attacks--between the real and the simulated environments. Integrating human threat intelligence into the security stack makes it possible to stop threats before they can spread.

But HRM needn’t stop at social engineering. This risk-based approach can be applied to a broad range of behaviors including: Storing and sharing information; authentication and access management (e.g. MFA); timely security updates; and safe browsing.

The basic principles of of a human risk-based approach can be applied to all of these behaviors through behavioral signal-based nudge alerts that trigger an admin response, automatic mitigation, or a targeted micro-training.

Every major analyst already has or is in the process of publishing their own report on HRM, each with their own evaluation criteria. The differences can be fundamental. Forrester, for instance, focuses on the breadth of security awareness content and omits social engineering and phishing outcomes from their wave report’s human risk management criteria. Meanwhile, Gartner focuses on social engineering and phishing outcomes as core to reducing human risk in their post-SAT category, Security Behavior and Culture Program (SBCP).

The unifying thread? In a word: "behavior."

Human Risk Management Platforms correct risky behaviors at scale to measurably build culture and reduce human risk.

Let’s pause on the word “measurable.” Whereas yearly or quarterly SAT was geared for education and compliance, HRM is defined by outcome driven metrics (ODM) that demonstrate:

  1. Behavior change
  2. Cyber skills and habits acquisition
  3. Increased resilience
  4. Decreased risk across the human layer
  5. Real world impact
The key to HRM is ODM. Any platform claiming to be Human Risk Management must demonstrate outcome driven metrics relevant to reducing human cyber risk.

Security Awareness is Dead. Why Human Risk? Why Now?

Human Risk Management has risen from the ashes of SAT in 2024. It started back in 2020, when cyber crime and insider threats experienced a phase change with the pandemic-driven shift to the cloud and remote work. The ensuing multi-billion-dollar wave of ransomware, BEC, and spear phishing pushed the cyber insurance industry to the brink of collapse in 2021, and it has been volatile ever since.

Add in the 2022 rise of AI, and the threat landscape is more than SAT can handle. More and better-crafted threats are bypassing email filters every day. Social engineering alone is an omni-channel problem, as deep fakes and other highly sophisticated attacks become available on the dark web’s cybercrime-as-a-service market.

At that point, it’s up to people: admins and end users, alike. Everyone needs to be able join forces on a Human Risk Management platform that provides just-in-time micro-training to behave securely, and the tools and seamless integrations that weave human threat intelligence into the security stack.

Threat landscape by the numbers

  • 68% of breaches contain the human element (Verizon DBIR)
  • 80–95% of cyber attacks begin with a phish (Comcast Business Cybersecurity Threat Report)
  • $4.76 million – average cost of a phishing breach (IBM/Ponemon Cost of a Data Breach Report)
  • 4,151% – increase in phishing attacks since ChatGPT in November 2022 (SlashNext State of Phishing Report)

Between 68% (Verizon DBIR 2024) to 95% (WEF) of data breaches contain the human element, primarily via social engineering and phishing. Other costly risks include user and admin errors while handling sensitive information, as well as malicious insider acts, which the 2024 IBM Cost of a Data Breach report pegged at $4.99M.

The cost of phishing and BEC both rose to $4.88M in 2024, and Social Engineering rose to $4.77M

Many believe the emergence of Human Risk Management is long overdue. The HRM movement has been developing since at least 2016, when Hoxhunt was founded to disrupt the compliance-based SAT model. Several thought leaders have been publishing articles since well before then calling for a more dynamic solution than SAT to stay secure in a swiftly tilting threat landscape.

Suddenly, many up-jumped SAT vendors are rushing into the HRM space and calling themselves Human Risk Management Platforms. But each analyst and vendor has their own criteria for HRM.  

In all of our excitement, the discourse around HRM can get a little noisy. But you can separate the signal from the noise by prioritizing outcome driven metrics.

CISOs need to know: is the HRM platform measurably changing behavior and reducing risk? Am I mitigating the biggest risk cluster of all: people-targeted attacks like social engineering and phishing?

This white paper addresses key questions about the definition and application of HRM:

  • What is Human Risk Management?
  • Why should security leaders consider dropping the old-school SAT model and adopting HRM?
  • Who should choose HRM over SAT?
  • What does HRM look like in practice?
  • How does a security awareness manager or CISO implement  an HRM program?
  • What tools are out there?

What is Human Risk Management in cybersecurity?

Human risk management is the measurement and mitigation of risks stemming from human behaviors that leave an organization vulnerable to attack.

Simply put, HRM is about finding, measuring and managing risky behaviors in realtime to reduce risk. Comparatively, SAT was created to achieve compliance.

While compliance is a co-effect of HRM, measurable risk reduction is very hard to prove with a traditional SAT model. Check out this webinar recording by Head of Human Risk, Maxime Cartier, to learn more.

To know if risk is being reduced, an HRM platform establishes hard numbers around:

  • Key risky behaviors
  • Risk posture
  • Baselines for risky behaviors and risk posture
  • HRM-driven changes in behavior from baseline
  • HRM-driven risk reduction via improved behaviors
  • Business impact of HRM, e.g. reduced costs and operational downtime

Why should CISOs drop the SAT model and adopt HRM?

In addition to measurably reducing risk, HRMs provide numerous benefits to business and security functions, including culture building, business continuity, C-suite reporting, GRC, and cyber insurance.

Powered by advanced capabilities such as AI, Human Risk Management Platforms keep organizations more secure against both today’s and tomorrow’s threats. They provide more bang for buck, with AI-enabled automation getting more impactful results while requiring fewer resources to operate.

10 key elements and advantages of HRM include:

  1. Compliance as a function of risk reduction: HRM measurably and demonstrably reduces risk with behavioral interventions and realtime alerts while delivering ongoing education.
  2. Outcome-Driven Metrics (ODMs): HRM emphasizes outcome-driven metrics that showcase actual behavior changes, proving that risk is being minimized over time. These ODMs provide security teams and leadership clear evidence of improved employee behavior that safeguards the company.
  3. Clear Communication of Value: The value of HRM programs can be easily communicated through ODMs, making it easier to demonstrate ROI to stakeholders and decision-makers.
  4. Advanced, Targeted Approach: HRM leverages AI and automation to create personalized, targeted risk management programs, replacing the "one-size-fits-all" nature of traditional SAT.
  5. Real-Time Detection and Nudge Alerts: Speed is essential. By monitoring activities like email use, data storage, access management, web browsing, and patching practices, HRM systems can trigger nudge alerts to correct risky behaviors before they result in a security incident.
  6. Human Threat Intelligence for Early Breach Detection: HRM incorporates human threat intelligence into the security stack, enabling early detection and response to threats like phishing and social engineering.
  7. Accelerated Incident Response: The ability to identify and mitigate risks before they escalate into breaches drastically reduces the potential damage and cost.
  8. Regulatory Compliance and GRC: With new regulations such as the SEC disclosure law in N America, and NIS2 and DORA in Europe, HRM is far better suited to help the C-suite manage their personal liability alongside governance, risk, and compliance (GRC) requirements. The HRM model provides demonstrable proof of security efforts, which is essential for regulatory reporting.
  9. Facilitates Cyber Insurance: Obtaining cyber insurance with favorable premiums is increasingly difficult due to stricter compliance requirements. The HRM model's ability to reduce risk and provide verifiable metrics makes it easier to qualify for cyber insurance and secure better rates.
  10. Builds culture: Continuous learning and engagement embeds security into organizational culture with measurable participation and progress.

By adopting HRM, security leaders can not only improve the security posture of their organization but also effectively communicate the value of their efforts, reduce risks in real-time, and stay ahead of evolving compliance demands. The old SAT model is no longer sufficient in today's dynamic threat landscape, while HRM offers a forward-thinking, comprehensive solution.

Where should a Human Risk Management program focus?

With so many risky human behaviors, where should an HRM program begin? Start with your biggest, most expensive risk. Behaviors associated with social engineering and phishing constitute the greatest risk of data breaches, so HRM should start there. Focus on threat reporting because it is the single-greatest risk-reducing behavior.

Done correctly, Human Risk Management aligns the pillars of cybersecurity: people, processes, and technology. In the process, it will produce behavior change results you’d probably never thought possible. Hoxhunt data shows that: engagement soars by 6X within 6 months; phishing simulation failure rates decline by 6X; and real threat reporting skyrockets by 10X.

This is cultural transformation, painted with numbers.

Most cyber frameworks and guidelines propose that people should be at the heart of cyber strategy. But only with an HRM platform can that actually be done in a meaningful way, with human behavior and threat intelligence actively integrated into the security stack.  

But even with the advent of HRM, Security Awareness Managers (SAMs) and CISOs find little guidance for transcending the tick-box SAT model to measure human cyber risk, change behavior and build culture.

The HRM model picks up where the legacy SAT model stops, at basic cyber literacy. Different approaches are offered by different platforms, but the unifying thread in the emerging HRM model is that behavior change triggers a cascade of steps:

  • Shifting left to reduce bad clicks
  • Multiplying real threat detection
  • Creating cultural transformation
  • Reducing human cyber risk across the most risky cyber behaviors
  • Augmenting the SOC
These same principles for managing human risk around phishing and social engineering can then be deployed across the gamut of risky behaviors.

The CISO’s Human Risk Management Program Playbook

Human Risk Management begins with managing your greatest risk: social engineering and phishing. Two sides of the same coin, social engineering and phishing include spear phishing, BEC, ransomware, malware, credential harvesting, high volume campaigns, AitM, extortion, romance scams, deep fakes, vishing, smishing, and all other attacks targeted at people.

Social engineering self-defense skills are developed with a training platform built on:

  • Behavior - Threat reporting
  • Gamification - A design approach based on behavioral science
  • Engagement - Highly motivated keep themselves and colleague safe
  • Meaningful metrics - Measure and manage the behaviors that actually matter, starting with threat reporting
  • Automation - Let AI do the heavy operational lifting
  • Personalization - Customize training to individual needs and backgrounds
  • Adaptive learning - Auto-adjust content and difficulty to user skill level

Security training evolves into Human Risk Management when each employee is equipped with the skills and tools to recognize and report social engineering attacks as naturally as swatting  mosquitoes; and the security team has the infrastructure to leverage that threat intelligence for accelerated incident response.  

Step 0: Focus on behavior

Step zero of the Human Risk Management playbook is to focus on behavior, not security awareness. The most impactful cyber behavior is threat reporting because it removes the threat from the system and accelerates incident response. There’s no better proof of a security training program’s effectiveness than a rise in simulated and real phishing reports.

By focusing on the single most important behavior to cybersecurity, you will achieve outsized security ROI.

Fortune 500 energy company, AES won a prestigious CSO50 Award for their gamified security awareness engagement program, which deliberately scrapped the SAT model for the gamified security behavior change model. Their results are aspirational.

Step 0.5: Select the right platform

Managing a Human Risk Management program entirely in-house takes tremendous resources, starting with the security behavior change operations. There are several options out there to help you. Find the right tool for the job.

Some considerations when making your cyber training software decision are:

  • Will the platform integrate into my environment?
  • Is it engaging? What are their engagement rates?
  • Does it have good reviews from admins and end users?
  • Is it really automated? Sometimes, claims about automation aren’t grounded in fact.
  • What measurable outcomes around behavior and risk management are offered?
  • Does it do what I need it to do today (e.g. compliance), and will it do what I want to do later on, i.e. reduce risk across multiple core behaviors?
  • Does training and user experience align with our cultural values, e.g. reward-based and uplifting vs. punitive and terrifying?
  • Is there automatic report generation?
  • Are there powerful risk dashboards?
  • Is the platform dynamic with the changing threat landscape?
  • Will the platform automate the heavy operational lifting?
  • Is there a dedicated CS team to get the program moving and keep it on track?

You can find free objective resources for reviewing vendor options on G2.com or Gartner Peer Review Insights, where you’ll find that Hoxhunt tops the list, as well as sites like Expert Insights: Research and Compare Top Business Cloud IT and Cybersecurity Solutions | Expert Insights . Frost & Sullivan, Forrester, and Gartner have or will soon release their inaugural  Human Risk Management Radar / Wave / Magic Quadrant reports in 2024 or 2025.

Step 1: Secure executive buy-in

Rolling out a new security training program should be looked at as an exercise in change management. Success will pivot on leadership buy-in. Not only do you need leadership to support your program as role models, you need their approval for the right tools, resources, and budget.

Start by talking the C-suite’s language: business risk. Provide outcome driven metrics that demonstrate the value of the program in terms of behavior change and its impact on reduction of cyber risks and costs.

More and more enterprises have a board seat reserved for a security representative. Some, such as TomTom, even give the CISO a seat on the Board. It's crucial to establish influence and buy-in to HRM at the very top.

What does buy-in look like? At AES, top performers in security training get a quarterly bonus as part of an incentive model for building their security culture.

Step 2: Build bridges throughout the organization

Form a cross-functional, interdepartmental cyber advisory group. Find influential members of different teams who you can ultimately count on to inform you about their needs and challenges, and become champions of your training program.

Make an effort to reach out beyond IT and connect with people whose job involves communicating corporate messages and programs across the org. Talk to HR, Communications, Marketing, and Sales. These people are trained in communicating vital information to large audiences persuasively.

Get them talking about cyber so much that it becomes a water cooler topic.

Step 3: Break the awareness silo

HRM ultimately dissolves the silo around security awareness to connect human threat intelligence to the security stack. Start doing that with your awareness program. Training touches multiple points of the security function. It should therefore involve representatives across relevant security functions to assist with program management.

Security Awareness Managers can sometimes be left isolated and unsupported, which will limit the effectiveness of the training. HRM connects the fruits of their labor to the SOC. Working together, you can ensure the results of the behavior change program--human threat intelligence--is plugged into the security stack and put to good use. As Victorinox might say, HRM is a Swiss Army Knife where SAT is a dull spoon.

Step 4: Reward, don’t punish, and create a culture of ‘Yes!’

CISOs aren’t always as popular as they should be. They sometimes don’t feel included at the proverbial water cooler, and feel uninvited to the C-Suite’s grownup table.

Your training program is the key to unlocking the door to the Room Where It Happens.

Good training positions the conversation you want to have across the organization about cybersecurity as a vitally important topic. You can even make cyber fun and cool. If your cyber training is built on psychological safety, people will be encouraged to reach out to security for help and guidance.

Think of it as transforming the security team’s image from Dr. No to Dr. How. The world’s leading software review site, G2, selected Hoxhunt for its positive psychology approach with gamification, and reported that they’d “seen the light” with the uplifting approach to people and culture.

Step 5: Starting with your biggest risk, measure ODMs that matter

Measurement is the bedrock of Human Risk Management. The defining characteristic of HRM is outcome driven metrics (ODM), and there’s no better ODM than real threat detection. Connecting the behavior change in the simulated and real environments--namely, threat detection--demonstrates that risk is being reduced at its greatest source, and breaches are being mitigated and prevented.

So start by building your human risk management program around threat reporting behavior. Reward those good clicks in-platform with a digital high five.  

Phishing doesn’t stop at training, so neither should your program’s metrics. It’s crucial to track how well, how fast, and how often people are recognizing and reporting real threats. A surge in real threat detection is the best proof that phishing training is making an impact. Having a training platform whose reporting button can be used on real and simulated phishing attacks is a huge help.

7 key metrics of security behavior change training are:

  1. Training engagement rate
  2. Phishing simulation reporting rate
  3. Phishing simulation failure rate
  4. Resilience rate: Reporting rate divided by failure rate
  5. Phishing simulation dwell time (how long it takes to report a threat after it’s landed in
    your inbox)
  6. Real threat detection rate
  7. Real threat detection dwell time

4 essential ODMs of human risk management are:

  1. Phishing simulation reporting rate
  2. Phishing simulation dwell time (how long it takes to report a threat after it’s landed in
    your inbox)
  3. Real threat detection rate
  4. Real threat detection dwell time

Step 6: Reporting

A good platform will generate reports on the above metrics, and more, that you can show to leadership to communicate the value of your program and its effectiveness. Risk dashboards help with this, as do auto-generated reports around relevant metrics such as phishing simulation reporting and failure rates, engagement rates, threat detection and mitigation, an dwell time.

Step 7: Target behavior-based engagement, not failure rate

The HRM program is built on engagement. If people aren’t learning, then they aren’t improving. In a behavior-based program, the best way to achieve engagement is to reward good behavior and gently coach away bad behavior. The Hoxhunt platform does this via gamification, with in-platform rewards like stars, badges, and leader boards.

Engagement with an SAT tool is less outcome-based and more opaque, as everything other than failing a phishing simulation is tacitly accepted as a success.

Punishment-based training limits training experiences to only those who click on a simulated phish. Most companies have engagement rates between 5% to 20% with a traditional quarterly SAT program. Giving training only to that small portion of phishing simulation failures ignores the vast majority who passed on it. And the negativity associated with cyber training sours people on the whole topic.

Encourage people to be courageous and act. You want an open dialogue between security and the rest of the organization. If someone clicked, the faster they report it then the faster you can mitigate the damage.

Docusign said they selected Hoxhunt for satisfying several behavioral science criteria, including frequency of reward-based training. And Avanade added that they wished for a program that was designed to meet people where they're at, in order to take them where they need to go.

Exponentially fewer data points are available with an unengaged employee population. In a hypothetical 10,000-person company, an SAT tool that produces a 10%engagement rate with 4 simulations per year, compared to a behavior change program with a 50% engagement rate on 36 simulations per year, breaks down to:

SAT: 4000 data points, confined to a small cohort
Behavior Change: 180,000 data points, representing a statistically significant cohort

Understanding what makes your people tick (and click), and turning that around starts with measuring the behaviors you want to improve.

Step 8: Make training frequent, short, and varied

A yearly or quarterly video won’t cut it. A massive library of dry, uninteresting content won’t move the needle. So stop thinking about quantity, and focus on quality of engagement.

Research like that of Stanford's BJ Fogg shows that behavior change happens with engagement with frequently repeated practice. Recognizing and reporting phishing simulations takes 30-60 seconds, and can be followed by an awareness micro-training moment. Threat reporting is a behavior that can be conditioned with the repeated, realistic practice of spotting telltales of social engineering attacks and reporting them with a simple and rewarding process.

If people aren’t engaged and actively reporting threats, they aren’t learning. So begin conditioning cyber-positive behavior with carrots, not sticks.

Step 9: Risk-based, targeted interventions

Research by Cyentia has shown that 4/5 of cyber events are caused by just 4% of employees, mostly from repeat clickers of malicious links. Qualcomm identified their own subset of repeat offenders and enrolled those 1,000 employees in an adaptive phishing training program. The “Risky 1K’s” results in periodic benchmark tests were compared against the rest of the 50,000-employee company.

A few people can cause the most problems

  • 80% of phishing breaches are caused by 4% of users
  • 92% of malware events are caused by 3% of users
  • 1% of users will average an incident every other week

Within months, the Risky 1K were reformed. They graduated from phishing prisons to the head of the class, and outperformed the rest of the company so significantly that the security team secured approval for an org-wide Hoxhunt roll-out that has since improved phishing simulation failure rates globally by 6X.

These results earned a prestigious CSO50 Award from Foundry.

Step 10: Connect your training output to your SOC input

Human threat intelligence is a terrible thing to waste.

A good behavior change program will result in a 10X increase in real threat reports to your threat feed. Today, as more and more sophisticated threats bypass email filters, that human threat intelligence is a competitive advantage when integrated into the security stack. It's the army behind the moat behind the castle walls, who also actively report spies who try to enter and reinforce the castle walls with the cannon balls and arrows they collect from the enemy; it's another active security layer behind the technical firewall.

Find a platform that will auto-categorize the threat reports and escalate the prioritized incidents for response. This will accelerate SOC response and augment the quality of their work.

Step 11: Create a feedback loop between training content and the threat feed

It’s important to stay at the cutting edge of the constantly-evolving threat landscape. Transform the latest phishing attacks into valuable learning experiences by reformatting them into hyper-realistic phishing simulations.

Step 12: Customizable content

Training must be relevant to the user’s background, job role, and skill level as they change over time. Find a training platform that automatically adapts training from its library, via AI, to the user’s needs. From there, you can further use AI in the platform to create targeted content that suits your goals.

Step 13: Execute a Proof of Concept trial

Perform a cyber challenge. Put different segments of your employee user base on different training programs, and compare their results with periodic benchmark tests. Let the results speak for themselves.

The transformative results of Qualcomm’s "Worst-to-First Employee Phishing Performance"  precipitated an org-wide rollout of Hoxhunt that measurably reduced risk by orders of magnitude.  AES, Avanade, TomTom, Bird&Bird, DocuSign, and Victorinox are just a few examples of enterprises who started with a POC that led to a general rollout.

Step 14: Ace the roll-out

Every preceding step has positioned you for a successful rollout. Having leadership buy-in and a stable of cybersecurity champions supporting you, launch the full program with the platform’s dedicated customer success team. You’ll likely be sending out a series of communications that will alert the organization of your new Human Risk Management program. This will officially kick off with a training email that walks users through the process of using the reporting button integrated into the email client. A good platform will be interactive even in the onboarding communications. It should feel like a video game: easy enough that the user feels a sense of success and accomplishment with the first training experience to crave more.

Step 15: Now measure, manage, and mitigate the other risky behaviors

The principles of an HRM approach to social engineering can be applied to a broad range of human behaviors. Having established a security culture with your security awareness and phishing training program, the security team can now address the other threats that the HRM platform alerts them to.

The platform should do the heavy lifting. When a user doesn’t properly use MFA, or securely browse the web, or share sensitive data, then the platform can alert both the user and the admin and trigger a behavioral nudge in real time. It’s up to the security team to decide the most prudent course of action upon prevalent trends.

Results: Humans are you greatest resource

Imagine if everyone from the board room to the mail room were so excited about cybersecurity they actually asked you for more training.

Imagine if your engagement rate were to soar from 10-20% to over 60%.

Imagine if your engagement was built on the critical behavior of reporting both simulated and real phishing attacks.

Imagine if people clicked 6 times less on phishing emails.

Imagine if 2/3 of your workforce were actively reporting real threats.

With a good HRM platform, this can all be achieved, not just imagined.

The above improvement is dramatic, and it's the product of:

A) An effective HRM platform

B) A dedicated Customer Success team that gets the program on track, and ensures it stays on track.

These results represent the progress of 2 million users who've onboarded with the help of a Hoxhunt CS team. The baseline engagement, failure, and threat reporting rates with old-school SAT tools vary between company and program. We've seen that behavior-based engagement is around 7%, with 20% failure rates, and 80%+ unengaged populations. Most companies, even highly mature ones like AES, report 10% engagement rates with standard tools.

But during onboarding with a security behavior change program, something magical happens: a phase change occurs. Behavior-based engagement soars by over 6x. Failure rates are cut in half. And that's just with the onboarding.

Once the program is on track, the platform continues the magic.

Phishing simulations are sent every 10 days. Even though they are designed to get harder as the user's skill level improves, failure rates continue to drop while threat reporting rates continue to climb. Users stay engaged for years on end as the difficulty level of the training remains just hard enough to give people a sense of accomplishment with every threat report. And those gains are locked in by the platform's Instant Feedback feature, which rewards real threat reports with realtime feedback so people know immediately the impact they've made on their org's security.

People stay engaged for years on end. Their behavior change is sustained. Employees become the solution to the very problem of human risk.

Become a Human Risk Management expert

[.c-cta-box][.c-cta-content][.c-title-wrapper][.c-title]HRM Master Class[.c-title][.c-title-wrapper][.c-paragraph-wrapper][.c-paragraph]Sign up for this HRM Master Class, Evolving to Human Risk Management, presented by the former Director of Security Awareness at H&M, Maxime Cartier, who has evolved to Hoxhunt's Head of Human Risk Management.[.c-paragraph][.c-paragraph-wrapper][.c-button-wrapper][.c-button]REGISTER[.c-button][.c-button-wrapper][.c-cta-content][.c-cta-box]