Why 82% of Breaches Involve Human Risk Factors (And What That Means for Security Culture)
It’s Not Just Tech—It’s Human.
Team CM
Sep 1, 2025 5:00:00 PM
Security teams everywhere are feeling it: too much to do, too few people to do it, and mounting pressure to "solve the human problem" once and for all. But the truth is, human risk isn’t a simple awareness issue. It’s a complex, evolving challenge that requires a different kind of thinking, tooling, and support to tackle effectively.
Welcome to the era of Human Risk Management (HRM).
Human Risk Management is a strategic approach to identifying, understanding, and reducing cybersecurity risk caused by human behaviors, decisions, and vulnerabilities. Unlike traditional cyber awareness programs that focus on pushing content or checking training boxes, HRM programs aim to:
Map risk across different roles and behaviors
Build secure habits and decision-making patterns
Create resilient cultures that respond to risk, not just recognize it
HRM bridges gaps between cybersecurity, operations, behavior science, and business leadership. It expands the view from "awareness training" to full-spectrum risk reduction.
Many organizations still rely heavily on legacy cyber awareness programs. You know the ones: an annual training course, a few emails about phishing, and maybe a poster in the breakroom.
But today’s threat landscape is not static. It evolves faster than most awareness efforts can keep up. AI-generated phishing, deepfake manipulation, insider threats, and cognitive overload make it harder than ever for people to "do the right thing."
That's why leading organizations are making the shift:
From content to context: Tailoring programs to roles, behaviors, and business realities
From training to tooling: Leveraging measurement, micro-interventions, and nudges
From awareness to ownership: Empowering teams to engage with security meaningfully
In short, they’re scaling from cyber awareness programs to full Human Risk Management programs.
So if HRM is the better way forward—why are so many teams stuck?
The SANS 2025 Security Awareness Report found that over 70% of awareness professionals lack the time, budget, or headcount to meaningfully evolve their programs. Security leaders are often spread thin, balancing compliance, training, reporting, and reactive incident support.
Here are three major blockers to scaling:
No clear framework: Many teams are reinventing the wheel. Without a tested framework for program maturity, teams can’t benchmark or scale efforts effectively.
Overloaded teams: Security staff are often pulled in too many directions. HRM requires continuous effort, creativity, and care—not just quarterly training pushes.
Tool and data gaps: It’s hard to manage what you can’t measure. Many orgs lack tools to track behavior change, risk trends, or cultural signals.
The result? Programs plateau, risk increases, and security leaders feel like they’re failing—even when they’re doing everything they can.
Scaling a Human Risk Management Program isn’t about doing more with what you have. It’s about doing it differently.
That might mean:
Partnering with managed service providers who specialize in HRM
Moving beyond phishing simulations to full behavior and culture campaigns
Using real-time measurement to drive interventions and show progress
Aligning awareness efforts with board-level risk priorities
And most importantly—giving security teams the scaffolding, structure, and support to actually scale, instead of burning out.
Want to know what it would take to scale your program?
Follow us on LinkedIn for more leadership-focused blogs, or talk to our team—we don’t bite.
(And yes, we build scaffolding for programs that actually scale.)
Human Risk Management (HRM) is a modern approach to reducing cyber risk caused by people
HRM programs go beyond training—they measure, adapt, and scale behavior and culture
Most teams struggle to scale due to resource constraints, lack of frameworks, and tooling gaps
Moving from awareness to HRM requires new thinking, managed support, and behavioral insight
It’s Not Just Tech—It’s Human.
4 min read
Human Risk Management (HRM) is often described as a framework or a set of processes, but at its heart, HRM, as part of Human Resilience and Security,...
3 min read
If your board doesn’t see cyber risk as a top threat to your organization—or worse, if leadership believes that tech tools alone will save you—it’s...
4 min read
Subscribe to our newsletters for the latest news and insights.
Stay updated with best practices to enhance your workforce.
Get the latest on strategic risk for Executives and Managers.