01 July 2026
These 7 red flags reveal you're stuck in awareness rather than truly managing human risk
Awareness tells people things. HRM and SBM change what they do. These 7 signs show where you're stuck and how to prove real risk reduction.
Seven signal dots arcing from a dim awareness cluster to a bright human risk management glow, illustrating the seven signs blog post

CybSafe's CEO and founder Oz Alashe on the seven signs your program's stuck in awareness mode. And what to do about it.

For years, "security awareness" has been the catch-all label for anything to do with people in cybersecurity. But awareness is not an outcome. Awareness is simply a tactic.

If your goal is to reduce risk (and if it isn't, we've got a different problem), "awareness" on its own won't get you there.

What will close the gap is stuff like:

  • visibility into real behaviors
  • evidence of what works
  • systems that drive measurable change.

In other words, you need Human Risk Management (HRM) (also referred to as Secure Behavior Management (SBM), depending on who you're speaking to). If awareness tells people things, HRM/SBM changes what they do. We know the human element still shows up in around 60% of breaches, so changing what people do is changing risk.

But how do you know if your program is still stuck in awareness?

Here are seven clear warning signs (and how to fix things).

1) Your idea of security behaviors focuses mainly on phishing instead of the full behavior landscape

If your idea of behavioral security starts and ends with phishing (click rates, report rates, data submission), you're managing a fraction of the problem.

Modern breaches stem from a wide range of behaviors:

  • Mishandling data
  • Poor password hygiene
  • Unsafe sharing
  • Misusing AI tools
  • Ignoring updates
  • Oversharing online.

HRM/SBM looks across the full landscape of behaviors. It identifies, measures, and influences the behaviors that actually drive risk, not just those that are easiest to simulate (yep, even the unglamorous patching stuff).

A simple shift: Map your top five risky behaviors beyond phishing, then tie each to one outcome metric you can track.

2) You're guessing what works instead of learning what works

Many awareness programs rely on intuition. They launch campaigns and hope they “raise awareness,” assuming that means progress and risk reduction.

Respectfully, this is total b*llocks (as we’d say in Blighty). 

HRM replaces guesswork with evidence. It uses behavioral science, data, and experimentation to understand what actually changes behavior. The question isn’t “was it engaging?” but “did it change behavior and reduce risk?”

A simple shift: Run a simple A versus B experiment on one behavior this month. Keep the variant that moves the number, and retire the other.

3) You default to "training and education" as your primary answer to behavioral security challenges

If your first response to a risky behavior is "send more training," you're still in awareness mode.

Education helps, but information alone rarely changes behavior. HRM explores why people behave the way they do. It looks at capability, motivation, and opportunity. And it designs interventions that make secure actions easier to take.

Sometimes that's training. Often, it's design, automation, or workflow change ...all with the goal of making the secure path the easy path.

A simple shift: Diagnose "can't", "won't", or "didn't notice" before you prescribe training.

4) You don't really know which interventions work, or why

Level with me here: Can you, hand on heart, say which of your initiatives drive measurable change? No? Then I'm afraid you're not yet managing risk. You're just running activities.

HRM/SBM builds feedback loops. It measures outcomes, tests interventions, and learns what works for different audiences. Marketing and product teams iterate based on data, and security teams should too.

A simple shift: Add a one-line hypothesis and a success metric to every initiative and review each month.

5) You're primarily reporting training metrics and phishing metrics

Completion rates, click rates, report rates, and engagement scores show who participated. But they don’t show whether your organization is safer. 

In one NIST survey of US government programs, 84% used training completion rates, and 72% used phishing click rates as their primary measures of “effectiveness”. Classic vanity metrics.

HRM moves beyond vanity metrics. It focuses on behavioral and risk outcomes, like:

  • Fewer policy breaches
  • Fewer incidents
  • Fewer risky actions
  • More secure/positive actions

It proves that behavior change translates to risk reduction.

A simple shift: Try replacing one vanity metric on your dashboard with one outcome metric this quarter.

6) You report mostly inputs and outputs, rarely outcomes

If your dashboards track activities, like courses launched or messages sent, you’re measuring effort, not effect. Same goes for your reports upwards.

HRM focuses on outcomes. Did behavior change? Did incidents go down? Did that change reduce risk exposure? Shifting from counting inputs and outputs to tracking outcomes is the essence of maturing from awareness to human risk management/secure behavior management.

A simple shift: Pair each activity with the outcome it aims to move. If there’s no outcome, pause the activity.

7) You don't use the data and telemetry your organization already has to automate manual tasks

If your team spends hours chasing completions, exporting reports, or nudging people manually, you’re wasting valuable time on work that can be automated.

HRM/SBM connects to your existing data and tools to do that work for you. It uses telemetry to identify risk patterns, trigger interventions, and close feedback loops automatically. That frees teams to focus on strategy rather than a spreadsheet spiral. It also scales human risk management/secure behavior management across the organization.

A simple shift: Use one existing signal, like at-risk file sharing, to trigger a just-in-time nudge, then measure the change.

But beyond the simple shifts, here's where the change needs to start

Most enterprise organizations are somewhere between awareness and HRM. The transition begins with a mindset change.

Stop asking "how do we make people care?" or "how do we make security stick?"

Start asking "how do we make risk visible, measurable, and manageable?"

That's the difference between awareness and human risk management/secure behavior management.

One raises awareness.

The other reduces risk.

Which, let's face it, is why we're all here.

To help make the shift easier we've written the Ultimate HRM guide, but to truly make it click, it pays to see HRM/SBM in action. You can book a demo to see how the CybSafe platform helps teams manage risk.

Did you find this useful? Join our Unfiltered Signals list for more insights.