Beyond awareness: Human risk management metrics for CISOs
Traditional security training isn't keeping threat actors out. As employee awareness programs fall short, Forrester Research suggests a better approach.
Security decision-makers face a multipronged challenge when it comes to protecting their organizations' systems and sensitive data.
First, the organization's employees pose the greatest cybersecurity risks. Beyond malicious insider threats, security teams face a host of challenges from phishing attempts, social engineering, deepfakes and human error.
Then, there is the inconvenient truth that traditional security training simply does not work. For decades, employees have grudgingly taken mandatory annual security programs while the number of breaches continues to spiral out of control. There is a data problem, too. Nontechnical leaders point to completion rates for security awareness training success and assume the perimeter is secure. Security professionals, however, know better and struggle to attach any meaningful outcomes to employee training.
Forrester Research has proposed an alternative to traditional security awareness that can improve security culture while truly demonstrating a stronger cybersecurity posture: human risk management.
What is human risk management?
According to Forrester, human risk management is a set of bespoke activities to manage and reduce the cybersecurity risks posed by the people that security teams strive to protect in an organization. Activities include the following:
Detecting and measuring security behaviors that could lead to vulnerabilities.
Initiating targeted policy and training interventions based on identified risks and potential threats.
Educating and enabling the workforce to protect themselves and their organizations against cyberattacks.
While these elements might bear a passing resemblance to traditional security awareness training programs, they represent a broader, data-driven approach that addresses human vulnerabilities in cybersecurity. Human risk management requires security teams to move beyond a cadence of scheduled security trainings that might or might not apply to users and instead embrace interventions based on the risky security behaviors arising from how people actually work.
"Human risk management is not security awareness training 2.0," explained Jinan Budge, vice president and research director at Forrester. "It is quite a significant shift in mindset, in strategy and, most importantly, in technology."
Human risk management is not security awareness training 2.0. It is quite a significant shift in mindset, in strategy and, most importantly, in technology.
Jinan Budge, vice president and research director, Forrester Research
A punishing threat landscape
In its 2025 annual report, the FBI Internet Crime Complaint Center reported a sharp upward trend in cybercrime, with financial losses estimated at $20.877 billion, a 397% increase from five years earlier. Human-enabled activities accounted for a significant portion of losses, with business email compromise, ransomware, spoofing and phishing cumulatively costing companies about $3.3 billion.
When hacking attempts targeting humans were limited in scope and relatively easy to spot, traditional security training was sufficient for most businesses to remain relatively secure. The number of threat actors has ballooned, however, and their methods have grown vastly more sophisticated. Old-school security awareness is no longer sufficient.
Budge contended that too many organizations still rely on outdated indicators to determine whether they are secure. "The purpose stated for security training, this thing that we've been doing for decades, has been to make people aware, which isn't a proper purpose," she said. "If we're standing there telling our boss or executives that completing security training protects us from risk, it does not. Behavior change protects us from human-related breaches, not [security training] completion. Completion is almost irrelevant."
Better data to reduce human risk
The human risk management approach replaces or augments mandatory checkbox training sessions with proactive interventions that address an employee's risky behaviors. The security interventions are intended to be helpful rather than punitive. By harnessing the rich data streams available to security operations, CISOs can identify which actions create vulnerabilities and address them in near-real time.
"Human risk management allows organizations to measure the risk of an individual or team based on that risk, to train them, to nudge them, to adjust the policies based on their actual behavior," Budge said. "So, rather than training you on all the things all of the time, your training becomes very specific to the risk that you actually pose to the organization, which, in turn, is based on your behavior. Do you use strong passwords? Do you email highly classified information? Are you a senior person with access to lots of information? Do you use VPN?"
Using such a targeted approach helps employees understand what they're doing wrong, learn how to do it right and why it matters.
5 steps to identify and operationalize human risk management metrics
Human risk management programs can truly change employee behavior. Selling the C-suite on a new approach, however, is a challenge CISOs must contend with first.
Forrester recommends the following five steps to develop meaningful and actionable human risk management metrics that the board will understand and approve.
Step 1. Define goals that align to three metric types
Human risk management metrics start with clearly defined objectives that map to the broader goals of the security program. Teams align metrics to goals such as risk avoidance, more complete training, reduced security friction and higher detection quality. Priorities will vary based on the organization's structure, resourcing model and security maturity. To ensure metrics are meaningful and consumable, segment them into three types:
Strategic metrics inform executive leadership and the board, focusing on business risk and program impact.
Operational metrics support the CISO and security leadership in managing program performance.
Tactical metrics guide day-to-day activities within the security team.
The three types of metrics are interconnected. Tactical data feeds operational insights, which roll up into strategic reporting. This hierarchy enables security leaders to translate granular activities into business-relevant outcomes and, conversely, trace executive-level metrics back to underlying drivers.
Step 2. Prioritize pragmatic, useful metrics
Once goals are defined, prioritize the relevant metrics that drive action. Metrics should provide clear evidence of change, particularly in user behavior, so teams can determine whether interventions such as training or policy updates are effective. Avoid tracking data points that lack context or fail to inform decision-making. Metrics that are disconnected from outcomes can introduce noise, be misinterpreted or incentivize counterproductive behavior. Retire or refine metrics that no longer add value.
Step 3. Implement data collection mechanisms
Reliable human risk management metrics depend on consistent and scalable data collection. Many organizations use dedicated platforms that integrate with existing security controls -- i.e., endpoint detection and response, data loss prevention, and identity and access management systems -- to capture behavioral signals. Insights gleaned include user activity, behavioral trends, identity attributes and data handling patterns.
Step 4. Report and communicate insights
Customize reporting for the intended audience at each level of the organization:
Executives and board members require strategic metrics that highlight business impact, risk exposure and progress in mitigation efforts.
Security leadership benefits from operational views that reveal program performance and opportunities for optimization.
Practitioners need tactical metrics to guide activities and execution.
Context is critical. Pair metrics with visualizations and narrative to clarify trends, highlight causality and support decision-making.
Step 5. Establish baselines and targets
Once data collection is in place, define baselines that reflect the organization's current state. This data is the foundation for setting realistic, incremental improvement targets tied to security activities -- such as reducing specific behaviors or improving adoption of security controls. Over time, improvements contribute to broader indicators, such as overall human risk scores or security culture maturity.
An image makeover for security
With cybersecurity threats evolving so swiftly, organizations cannot afford to rely on outdated security awareness programs that fail to address the root causes of human vulnerabilities. Human risk management offers a transformative approach, shifting the focus from mere awareness to actionable behavior change.
Budge said she expects human risk management to help CISOs improve security operations. "It solves a productivity and an image problem for security. Sending people this random training has not helped them. Whereas when you get really targeted at the right person at the right time at the right place, that changes the image of security completely."
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
