惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Recent Commits to openclaw:main
Recent Commits to openclaw:main
H
Heimdal Security Blog
SecWiki News
SecWiki News
H
Hacker News: Front Page
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
TaoSecurity Blog
TaoSecurity Blog
AI
AI
C
Cybersecurity and Infrastructure Security Agency CISA
Scott Helme
Scott Helme
PCI Perspectives
PCI Perspectives
S
Securelist
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Cyberwarzone
Cyberwarzone
A
Arctic Wolf
Forbes - Security
Forbes - Security
T
Tor Project blog
Spread Privacy
Spread Privacy
WordPress大学
WordPress大学
I
Intezer
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
博客园 - 司徒正美
W
WeLiveSecurity
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V
V2EX
P
Palo Alto Networks Blog
Google DeepMind News
Google DeepMind News
IT之家
IT之家
阮一峰的网络日志
阮一峰的网络日志
V
Vulnerabilities – Threatpost
Jina AI
Jina AI
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
T
Threatpost
P
Privacy International News Feed
人人都是产品经理
人人都是产品经理
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
Beyond awareness: Human risk management metrics for CISOs
2026-04-21 · via Search Security Resources and Information from TechTarget

Richard Livingston

By

Published: 21 Apr 2026

Security decision-makers face a multipronged challenge when it comes to protecting their organizations' systems and sensitive data.

First, the organization's employees pose the greatest cybersecurity risks. Beyond malicious insider threats, security teams face a host of challenges from phishing attempts, social engineering, deepfakes and human error.

Then, there is the inconvenient truth that traditional security training simply does not work. For decades, employees have grudgingly taken mandatory annual security programs while the number of breaches continues to spiral out of control. There is a data problem, too. Nontechnical leaders point to completion rates for security awareness training success and assume the perimeter is secure. Security professionals, however, know better and struggle to attach any meaningful outcomes to employee training.

Forrester Research has proposed an alternative to traditional security awareness that can improve security culture while truly demonstrating a stronger cybersecurity posture: human risk management.

What is human risk management?

According to Forrester, human risk management is a set of bespoke activities to manage and reduce the cybersecurity risks posed by the people that security teams strive to protect in an organization. Activities include the following:

  • Detecting and measuring security behaviors that could lead to vulnerabilities.
  • Initiating targeted policy and training interventions based on identified risks and potential threats.
  • Educating and enabling the workforce to protect themselves and their organizations against cyberattacks.
  • Creating an organizational culture that prioritizes security and encourages proactive risk management.

While these elements might bear a passing resemblance to traditional security awareness training programs, they represent a broader, data-driven approach that addresses human vulnerabilities in cybersecurity. Human risk management requires security teams to move beyond a cadence of scheduled security trainings that might or might not apply to users and instead embrace interventions based on the risky security behaviors arising from how people actually work.

"Human risk management is not security awareness training 2.0," explained Jinan Budge, vice president and research director at Forrester. "It is quite a significant shift in mindset, in strategy and, most importantly, in technology."

A punishing threat landscape

In its 2025 annual report, the FBI Internet Crime Complaint Center reported a sharp upward trend in cybercrime, with financial losses estimated at $20.877 billion, a 397% increase from five years earlier. Human-enabled activities accounted for a significant portion of losses, with business email compromise, ransomware, spoofing and phishing cumulatively costing companies about $3.3 billion.

When hacking attempts targeting humans were limited in scope and relatively easy to spot, traditional security training was sufficient for most businesses to remain relatively secure. The number of threat actors has ballooned, however, and their methods have grown vastly more sophisticated. Old-school security awareness is no longer sufficient.

Budge contended that too many organizations still rely on outdated indicators to determine whether they are secure. "The purpose stated for security training, this thing that we've been doing for decades, has been to make people aware, which isn't a proper purpose," she said. "If we're standing there telling our boss or executives that completing security training protects us from risk, it does not. Behavior change protects us from human-related breaches, not [security training] completion. Completion is almost irrelevant."

Better data to reduce human risk

The human risk management approach replaces or augments mandatory checkbox training sessions with proactive interventions that address an employee's risky behaviors. The security interventions are intended to be helpful rather than punitive. By harnessing the rich data streams available to security operations, CISOs can identify which actions create vulnerabilities and address them in near-real time.

"Human risk management allows organizations to measure the risk of an individual or team based on that risk, to train them, to nudge them, to adjust the policies based on their actual behavior," Budge said. "So, rather than training you on all the things all of the time, your training becomes very specific to the risk that you actually pose to the organization, which, in turn, is based on your behavior. Do you use strong passwords? Do you email highly classified information? Are you a senior person with access to lots of information? Do you use VPN?"

Using such a targeted approach helps employees understand what they're doing wrong, learn how to do it right and why it matters.

5 steps to identify and operationalize human risk management metrics

Human risk management programs can truly change employee behavior. Selling the C-suite on a new approach, however, is a challenge CISOs must contend with first.

Forrester recommends the following five steps to develop meaningful and actionable human risk management metrics that the board will understand and approve.

Step 1. Define goals that align to three metric types

Human risk management metrics start with clearly defined objectives that map to the broader goals of the security program. Teams align metrics to goals such as risk avoidance, more complete training, reduced security friction and higher detection quality. Priorities will vary based on the organization's structure, resourcing model and security maturity. To ensure metrics are meaningful and consumable, segment them into three types:

  1. Strategic metrics inform executive leadership and the board, focusing on business risk and program impact.
  2. Operational metrics support the CISO and security leadership in managing program performance.
  3. Tactical metrics guide day-to-day activities within the security team.

The three types of metrics are interconnected. Tactical data feeds operational insights, which roll up into strategic reporting. This hierarchy enables security leaders to translate granular activities into business-relevant outcomes and, conversely, trace executive-level metrics back to underlying drivers.

Step 2. Prioritize pragmatic, useful metrics

Once goals are defined, prioritize the relevant metrics that drive action. Metrics should provide clear evidence of change, particularly in user behavior, so teams can determine whether interventions such as training or policy updates are effective. Avoid tracking data points that lack context or fail to inform decision-making. Metrics that are disconnected from outcomes can introduce noise, be misinterpreted or incentivize counterproductive behavior. Retire or refine metrics that no longer add value.

Step 3. Implement data collection mechanisms

Reliable human risk management metrics depend on consistent and scalable data collection. Many organizations use dedicated platforms that integrate with existing security controls -- i.e., endpoint detection and response, data loss prevention, and identity and access management systems -- to capture behavioral signals. Insights gleaned include user activity, behavioral trends, identity attributes and data handling patterns.

Step 4. Report and communicate insights

Customize reporting for the intended audience at each level of the organization:

  • Executives and board members require strategic metrics that highlight business impact, risk exposure and progress in mitigation efforts.
  • Security leadership benefits from operational views that reveal program performance and opportunities for optimization.
  • Practitioners need tactical metrics to guide activities and execution.

Context is critical. Pair metrics with visualizations and narrative to clarify trends, highlight causality and support decision-making.

Step 5. Establish baselines and targets

Once data collection is in place, define baselines that reflect the organization's current state. This data is the foundation for setting realistic, incremental improvement targets tied to security activities -- such as reducing specific behaviors or improving adoption of security controls. Over time, improvements contribute to broader indicators, such as overall human risk scores or security culture maturity.

An image makeover for security

With cybersecurity threats evolving so swiftly, organizations cannot afford to rely on outdated security awareness programs that fail to address the root causes of human vulnerabilities. Human risk management offers a transformative approach, shifting the focus from mere awareness to actionable behavior change.

Budge said she expects human risk management to help CISOs improve security operations. "It solves a productivity and an image problem for security. Sending people this random training has not helped them. Whereas when you get really targeted at the right person at the right time at the right place, that changes the image of security completely."

Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.

Next Steps

How to perform a cybersecurity risk assessment in 5 steps

Cybersecurity risk management: best practices and frameworks

Dig Deeper on Risk management