Introduction: Why this matters

One challenge that’s been poorly addressed for decades is: 

How do we manage the cybersecurity risks associated with people?

The answer isn’t “awareness.” It never really was.

The cybersecurity industry has long acknowledged the importance of the human aspect. But the way it’s been tackled (usually through training, communications, and phishing simulations) hasn’t meaningfully reduced risk.

It’s not important what the new approach is called. You’ll hear people talk about human risk management (HRM). That’s fine. But this isn’t a war won by simply settling on the correct terminology.

What matters is impact.

The focus is on designing interventions that actually change behavior.

The goal is to validate whether those behaviors reduce risk.

And the challenge is helping security teams do more with less, by automating what can be automated and measuring what truly matters.

This guide breaks down how we got here, why the old approach isn’t working, what’s driving the shift to HRM, and what it means for cybersecurity professionals today. 

It’s structured across ten sections, so whether you’re just getting started with HRM or sharpening your approach, you’ll find insights, guidance, and practical next steps to take away and make waves in your org, your way.

Sound good? Let’s get started.

What is security awareness, and why is it not enough?

The origin story

While the concept of educating users about security risks has been present since the early days of computing, the explicit use of the term “security awareness” in formal documentation and legislation began to solidify late ’80s, when it became clear people – not just tech – played a big role in keeping systems secure. The 1987 US Computer Security Act made awareness training mandatory for federal staff, and NIST followed up with guidance to help organizations do it properly. That’s when awareness really became “a thing” in cybersecurity.

The early response was logical:

“If people are part of the problem, let’s educate them.”

So, the field of “security awareness” was born.

It focused on raising awareness of cyber risks through training, internal comms, and phishing simulations. These programs were largely driven by compliance requirements: 

• check the box
• prove you told your staff what phishing is
• move on

And that’s still the shape of most programs today.

The flawed assumption

Security awareness was built on a deeply ingrained (and deeply flawed) assumption:

“If we raise awareness, people will behave more securely.”

It sounds reasonable. But as research (including articles like “Cyber Security Awareness Campaigns: Why do they fail to change behaviour?”) has shown, knowing isn’t doing.

You can understand a risk, be aware of the right action to take, and still behave insecurely in the moment.

Why?

Because behavior is complex. It’s influenced by habits, social norms, mental models, time pressure, convenience, emotion, environment, system design. Not just knowledge.

So if your entire strategy is just “raise awareness”, you’re leaving behavior to chance, and risk too.

What security awareness actually looks like in practice

The majority of security awareness teams spend most (if not all) of their time:

• Building or buying training content
• Running phishing simulations
• Writing internal communications

There’s nothing wrong with these things. But they are tools, not a strategy.

And they rarely extend to managing the full range of behaviors that contribute to cyber risk.

Even when awareness teams want to do more, they often can’t. The job has been narrowly defined, and expectations are low. They’re tasked with content production, not risk management.

The measurement gap

To make things worse, the metrics used to track “success” are often surface-level:

• Training completion rates
• Engagement scores
• Phishing click and report rates
• Sentiment or feedback from learners

These are sometimes called “vanity metrics”. That might sound harsh, but the term highlights an uncomfortable truth:

High engagement doesn’t equal low risk.

Someone can enjoy the training, ace the quiz, even report a phishing email…and still behave insecurely the next day.

Because awareness doesn’t guarantee behavior change. And behavior change doesn’t guarantee risk reduction.

If behavior doesn’t change in the right ways, your risk remains the same, no matter how slick your training program was.

The credibility problem

This is why security awareness, while seen as important, isn’t seen as valuable or credible by many security leaders.

It’s underfunded compared to other security domains.

It’s often led by non-technical professionals who aren’t seen as peers by the rest of the security team.

And it’s perceived (rightly or wrongly) as the “soft” side of security.

All this, despite the fact that every security leader agrees the human aspect is a big deal.

Because when most people think of “security awareness,” they think of:

• Training
• Comms
• Phishing sims

And that’s just not enough.

What is HRM? And what is it not?

Let’s be clear:

At CybSafe, we’re not precious about the term human risk management.

It’s helpful shorthand to describe a more modern, data-driven, outcome-focused approach to tackling human cyber risk. 

The label matters way less than the impact.

What matters is the shift in mindset and method.

So while “HRM” is the term gaining traction, it’s the approach that counts.

HRM is not a rebrand of security awareness

Some argue HRM is just security awareness training (SAT) with better marketing.

It’s not. And if it is, it’s not worth doing.

The entire point of HRM is to move beyond awareness and into measurable behavior change and risk reduction. It demands different thinking, different tooling, and different metrics.

HRM means managing human risk the same way we manage other risks

As security professionals we already manage risk across devices, networks, cloud infrastructure, third parties. We do this by using telemetry, controls, automation, and data.

So, why would we treat human risk differently?

HRM applies the same principles:

• Visibility: Understand which behaviors are risky, who is exhibiting them, and why.
• Intervention: Guide people at the point of risk with context-aware nudges, training, or system changes.
• Automation: Use technology to apply fixes, reduce workload, and scale efforts.
• Measurement: Track whether your interventions work, and adjust accordingly.

It’s not about blaming people.

It’s about managing the risks associated with human behavior. Just like we do with every other part of the digital environment.

HRM uses different data, tools, and metrics

To do this, HRM relies on:

• Behavioral telemetry (from tools like M365, DLP, identity systems, etc.)
• Behavioral taxonomies (like SebDB) to map behaviors to risk outcomes
• Automation platforms to deliver personalized interventions across channels (Slack, Teams, email, browsers)
• Risk-focused metrics (not just engagement or completions)

It’s not “awareness with bells on.”

It’s a completely different layer of the security stack. One focused on behavior, not just belief.

So what isn’t HRM?

Let’s be crystal clear.

HRM is:

✅  A risk-oriented, data-driven, behavior-focused discipline

✅  A strategy that uses science and automation to reduce cyber risk associated with people

✅  A scalable, adaptive function that integrates across the tech stack

In short:

HRM is not a new name for security awareness.

It’s a new approach to solving a different, far more urgent, problem.

What’s the difference between SAT and HRM?

Some people see SAT (security awareness training) and HRM (human risk management) as two sides of the same coin.

They’re not.

They may both deal with people. But the what, how, and why are completely different.

SAT is about awareness. HRM is about outcomes.

SAT is rooted in training and comms.

The goal is to make people aware of risks and policies.

It’s typically compliance-driven.

It’s usually delivered on a schedule.

It’s often one-size-fits-all.

HRM is about managing cyber risk.

The goal is to change the behaviors that matter, and prove that change reduces risk.

It’s outcome-driven.

It’s continuous and responsive.

It’s personalized, data-led, and automated.

SAT relies on assumptions. HRM relies on evidence.

SAT is about delivering content

HRM is about designing interventions.

SAT teams spend their time building or delivering training content and running phishing simulations.

HRM teams orchestrate behavioral interventions using telemetry, automation, and measurement. That might include training, but it’s one tool among many.

A side-by-side comparison

The key point

SAT is a tactic.

HRM is a strategy.

SAT has its place, especially for compliance. But if that’s your only move, you’re stuck hoping for behavior change.

HRM, by contrast, is about designing for it.

And measuring it.

And improving it over time.

It’s not just a different set of tools. Rather, it’s a fundamentally different way of managing human cyber risk.

Why has there been a transition from SAT to HRM?

The shift from security awareness training to human risk management has not happened overnight.

It has been driven by real-world pressures: executive teams, regulators, overburdened security teams, and an evolving threat landscape that demands more than awareness.

The reason is simple.

Security leaders need more than engagement metrics. They need results.

Here is why the shift is happening, and why it is not going away.

Security leaders want stronger evidence of risk reduction

CISOs must justify their security investments.

It is no longer enough to say, “We trained everyone.” They need to show how people’s behavior changed, and how that change reduced risk.

SAT has never been able to do this effectively.

HRM provides the telemetry, analytics, and automation needed to connect human behavior to real risk reduction.

Exec leadership increasing expect business-aligned outcomes

Boards and execs don’t really care how many phishing emails were reported.

They care about:

• Whether you’re reducing the chance of a ransomware attack
• Whether human error is causing compliance breaches
• Whether critical business processes are protected

They want security investments that deliver measurable, operational impact.

Done properly, HRM delivers that.

Regulators are tightening expectations

Compliance used to be about checking boxes.

Now, frameworks and regulations like NIST CSF, DORA, and ISO 27001 ask tougher questions:

• Can you demonstrate the effectiveness of your human controls?
• Can you measure and improve security behaviors over time?
• Can you provide evidence of reduced risk?

“Awareness” alone doesn’t cut it anymore.

The tech stack now supports it

A few years ago, tracking human behavior at scale was almost impossible.

Now it’s not.

• Security tools give us real-time data on how people work, access, share, and respond.
• Identity platforms, productivity suites, and EDRs provide telemetry on the human layer.
• No-code automation platforms can respond instantly with tailored interventions.

The tools have caught up with the ambition.

The threat landscape has evolved

Human-related threats have multiplied:

• Deepfakes and AI-powered social engineering
• MFA fatigue and push bombing
• Password reuse and credential stuffing
• Shadow SaaS and helpdesk exploits
• Remote work vulnerabilities

Traditional SAT isn’t built to handle these.

You can’t train your way out of sophisticated, fast-changing, socially engineered threats.

You need real-time risk insight and scalable intervention.

Security teams are under pressure

Security teams are stretched thin.

They don’t have time to manage training rollouts, update comms plans, and chase engagement metrics.

They need:

HRM is attractive because it doesn’t just reduce people risk.

Done right, it reduces workload.

Bottom line

The shift from SAT to HRM is not about buzzwords.

It’s about necessity.

SAT isn’t being replaced because it was wrong.

It’s being upgraded because it wasn’t enough.

What’s with the explosion of HRM companies all of a sudden?

No doubt there’s something of a (gold?) rush happening.

Over the last 12–18 months, a wave of vendors has jumped on the “human risk management” bandwagon. Many vendors that used to sell phishing simulations or training content are now rebranding without fundamentally changing their approach. 

Some are doing little more than a find-and-replace exercise on their homepages and brochures, swapping out  “awareness” for “HRM”.

It’s not surprising.

Where attention goes, vendors follow.

But here’s the problem:

Much of what’s being sold as HRM today… isn’t.

Same wine. New bottle.

Many of the companies now claiming to “do HRM” are still doing the same things they’ve always done:

• Off-the-shelf training libraries
• Simulated phishing campaigns
• Monthly reporting on click rates, report rates and completion scores

But now they’re throwing in a few buzzwords:

• A dash of “AI”
• A sprinkle of “behavioral science”
• A redesigned dashboard with risk scores (that aren’t tied to anything real)

It’s brochureware. Not real change.

They’re selling awareness dressed up as something new.

That creates confusion in the market and makes it harder for buyers to spot what’s actually different.

Why this matters for security teams

HRM is not a buzzword or a rebrand.

It is a discipline that must be built on real behavioral insight, measurable impact, automation, and scientific validation.

Simply calling a program HRM does not make it so.

Security teams need more than surface-level metrics. They need solutions that reduce risk, prove it, and scale with the complexity of modern threats.

That is the standard security teams should expect, and demand.

The three schools of thought around HRM

Even among security professionals who accept the term human risk management, there’s no single, agreed-upon definition. 

And that’s fine. It’s a new and evolving space.

But if you’re working in this domain, it’s helpful to understand the three broad schools of thought that have emerged.

 Why this matters

• When you’re talking to customers, prospects, or even colleagues in the industry:
• Don’t assume you’re speaking the same language
• Ask questions to understand their perspective
• Meet them where they are, but help them see what’s possible

Understanding these schools of thought helps us educate, differentiate, and lead the conversation, not just follow it.

Awareness is an input. HRM is the system.

Security awareness is valuable, but it’s not the destination.

It’s an input into a larger system for managing human cyber risk.

Most security programs today still rely on awareness tactics:

• Training modules
• Simulated phishing
• Internal comms campaigns

These help inform people. They raise consciousness. They tick compliance boxes.

But here’s the problem:

Awareness doesn’t automatically lead to behavior change.

And behavior change doesn’t always lead to risk reduction…unless you design for it, measure it, and intervene at the right time.

That’s where human risk management comes in

HRM is a system, not a set of activities.

It connects awareness inputs with behavioral data, automation, and real-time feedback loops to actually manage risk.

Here’s how it works:

Why this matters for security and risk leaders

Security and risk executives really don’t care about how many emails were sent or how many people completed training.

They care about:

• Which risky behaviors have been reduced
• How quickly emerging risks are detected and addressed
• Whether human risk is decreasing, and how much

A true HRM system gives them that:

• Visibility into behavior-linked risk
• Confidence that interventions are timely and effective
• Evidence for internal reporting, regulatory audits, and board conversations
• Scalability through automation, not headcount

Bottom line

Security awareness is a tactic.

HRM is an intelligent system that transforms that tactic into tangible security outcomes.

If you only invest in awareness, you’re investing in inputs with no feedback loop.

If you invest in HRM, you’re investing in a system that closes the loop, and proves it works.

Using technology to be more human, not less

Data, automation, and AI are not just about making things faster or more efficient. 

They enable something far more important: the ability to understand people’s behavior at scale, respond in real time, and build security programs that are both effective and human-centered.

They help us scale human connection with intelligence.

The human aspect of cybersecurity has often been seen as too messy, too unpredictable, too “soft” to manage properly. So teams fall back on a never-ending drum beat of more training, or more being educated,… or just over-engineered unrealistic policies. But with the right technology, we don’t have to choose between scale and empathy.

Data lets us understand people better, not just track them

Behavioral data isn’t about surveillance. It’s about insight and effective action.

It helps us understand how people really work. Their habits, their friction points, their context.

This understanding makes it possible to design interventions that are not only more effective, but more respectful.

It is how security shifts from blanket messaging to precision guidance.

From nagging everyone to nudging the right person at the right time.

Automation reduces noise, so humans can do what humans do best

Every automated touchpoint should be designed to create space, not fill it.

By automating repetitive, reactive tasks, security teams free up time to:

• Build trust with stakeholders
• Have meaningful conversations
• Design systems that work for people, not against them

It’s not about replacing human relationships but about protecting them from operational overload.

AI and intelligent systems unlock what was never possible before

AI isn’t just a faster way to do what security teams have always done.

It gives you superpowers. It gives you the ability to:

• Detect risk signals in real time
• Adapt dynamically to each user’s behavior
• Personalize security at scale
• Learn what works (and what doesn’t) and optimize continuously

It means every security experience can be tailored, contextual, and meaningful, without burning out your team or overwhelming your people.

The difference lies in the details

This is not about using automation to de-personalize.
It’s not about using data to monitor.
It’s not about using AI to replace anyone.

It’s about using all of it to build a smarter, more human approach to cybersecurity—where:

• People get what they need, when they need it.
• Security adapts to the person, not the other way around.
• Trust is built into every touchpoint.
• And security teams have the tools to drive real, measurable impact—without losing the human relationships that matter most.

That is the opportunity ahead.

As a cybersecurity professional, what are the key takeaways for me?

Security awareness generally assumes people-related system vulnerability stems primarily from knowledge, understanding, interest or motivation.

HRM recognizes that education and training alone may not influence behavior. Without behavior change, there is no risk reduction. HRM focuses on behavioral metrics, risk analytics, and the automation needed to support people, not just educate them.

It leads with the questions:

• Which risk outcomes should we focus on?

• What are the human-related vulnerabilities in our systems?

• Which of these vulnerabilities present a risk worth addressing?

• Where do they come from?

• What can be done to reduce those risks to an acceptable level?

You don’t need to memorize definitions.

You don’t need to defend the term HRM.

The important thing is understanding the shift that is happening in cybersecurity, and why it matters.

The name doesn’t matter. The approach does.

Call it human risk management, human layer security, behavioral security, or something else entirely. The terminology does not matter as much as the outcomes.

What matters is this:

• The old “awareness” model is not delivering results.
• The future of managing human cyber risk lies in measurable, outcome-driven, data-led behavior change.
• Security teams need the infrastructure, intelligence, and tools to make this future possible (which is why CybSafe exists).

Security awareness is a tactic. Not a strategy.

Awareness has a role to play, especially for compliance. But it should never be the end goal.

Awareness on its own is not risk reduction.

Knowing something doesn’t mean doing it.

And doing something once doesn’t mean doing it when it matters.

Our job is to help security teams move from informing people to influencing behavior, reliably, repeatedly, and measurably.

The pressure on security teams is real

CISOs want evidence of impact.

Security teams need automation.

Boards want outcomes.

Regulators need proof.

Against all this, “educating users” is far from enough.

Security teams need to:

• Reduce incidents
• Validate control effectiveness
• Respond to risk signals in real time
• Make security more human and more scalable

That is a fundamentally different goal than simply training users.

The CybSafe platform is purpose-built for this future

Everything we do ties back to helping security teams like yours manage human risk with intelligence and precision:

• We map behaviors to risk outcomes using SebDB
• We validate interventions through scientific experimentation
• We measure real behavior change, not just sentiment
• We integrate across the security stack and deliver
• automated, personalized interventions
• We orchestrate risk reduction, and we do it at scale, in context, and in real time

This approach sets a new benchmark for managing human cyber risk.

Our goal is redefining what good looks like

We are not here to follow industry trends. We are here to lead, by raising expectations, by setting a higher standard, and by showing what is possible when security leaders stop settling for “awareness” and start demanding results.

CybSafe is not simply building a product.

We are shaping a new standard for how human cyber risk is managed.

That’s the vision we are shaping at CybSafe.

Come with us.

Here are four actions you can take today
to shift towards HRM

• How AI is Transforming Human Risk Management in Cybersecurity: Explore how AI is reshaping human risk management in this webinar, from predictive insights to personalized interventions.
• How to Talk Like a Human Risk Manager: A webinar to help you build your credibility by mastering the language of risks, threats, and vulnerabilities.
• Read the blog Maturing SA&T Programs into human risk management Strategies: The Why, The How, and the Expert Wisdom to get the full story behind why SAT isn’t enough and how HRM changes the game.
• See a leading HRM platform in action: Learn how CybSafe’s HRM platform can help your organization reduce risk, build resilience, and embed human risk management across your security program.