Human cyber risk is the probability that a person will make a security-relevant decision that creates exposure. It is governed by context, access, workload, and threat pressure, so it must be measured as an operational risk domain rather than treated as a training outcome alone.
Expanded Definition
Human cyber risk describes the chance that a person will take or miss a security-relevant action in a way that increases exposure. It covers more than error-prone behaviour: it includes deliberate bypasses, rushed approvals, weak verification, unsafe sharing, and decisions made under pressure. In practice, NHI Management Group treats it as an operational risk domain because the risk emerges from the interaction of access, context, workload, incentives, and attacker pressure, not from awareness training alone.
That distinction matters because the same employee can be low-risk in one situation and high-risk in another. A routine decision in a calm setting may become risky during incident response, travel, fatigue, or business urgency. Guidance in NIST Cybersecurity Framework 2.0 supports this risk-based view by tying protection outcomes to governance and risk management rather than to one-size-fits-all behaviour rules. The concept also intersects with identity and AI-enabled workflows when people approve access, trust machine-generated outputs, or rely on delegated agents.
The most common misapplication is treating human cyber risk as a synonym for “user mistakes,” which occurs when organisations ignore role pressure, access design, and threat conditions.
Examples and Use Cases
Implementing human cyber risk rigorously often introduces measurement and process overhead, requiring organisations to weigh faster workarounds against stronger decision controls and better visibility.
- A finance approver authorises a payment after receiving a convincing message that mimics a senior executive, showing how urgency and authority cues can override caution.
- A privileged administrator reuses a familiar exception path to restore service quickly, creating a gap between policy and actual behaviour.
- A help desk analyst resets access after incomplete identity verification because the queue is overloaded, which turns workload pressure into exposure.
- An employee accepts a large-language-model summary without validating source material, a pattern that becomes more relevant as organisations adopt agentic workflows and AI-assisted decision support.
- A security team tracks exposure spikes after major alerts using guidance from CISA cyber threat advisories, then adjusts controls for the roles most likely to be targeted.
Where AI systems are involved, the human decision point may be handing over trust to an automated recommendation rather than clicking a malicious link. For adversarial AI contexts, the MITRE ATLAS adversarial AI threat matrix is useful for thinking about how attacker pressure shapes operator behaviour around AI outputs.
Why It Matters for Security Teams
Security teams need this term because many incidents are not caused by a lack of policy, but by policy collapsing under real operating conditions. Human cyber risk becomes visible when access is too broad, verification is too slow, or staff are expected to make high-stakes decisions with poor context. That makes it relevant to governance, IAM, PAM, phishing resilience, and increasingly to NHI and agentic AI oversight, where a person may approve a secret, authorize a workflow, or accept an agent action without enough scrutiny.
Understanding the term helps teams move from generic awareness campaigns to targeted controls: just-in-time access, stronger approvals, workload-aware exceptions, and role-specific monitoring. It also supports better response design, because people under stress often make the same risky decisions repeatedly if the system offers no safer path. The most effective programs connect human behaviour to measurable exposure rather than to training attendance alone, and they align with the risk-based intent of NIST Cybersecurity Framework 2.0 while using threat intelligence from CISA cyber threat advisories to identify which behaviours are most likely to be pressured. Organisations typically encounter the operational cost of human cyber risk only after a phishing loss, a privileged misuse event, or a bad approval chain, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC, GV.RM, PR.AC | Frames human-driven exposure as a governance and access-risk issue. |
| NIST SP 800-63 | IAL/AAL/FAL | Identity assurance levels matter when human decisions depend on verification strength. |
| NIST AI RMF | GOVERN | AI governance addresses human oversight, accountability, and decision context for risky automation. |
| OWASP Agentic AI Top 10 | Agentic AI risks often arise when humans approve unsafe tool use or trust output without validation. | |
| OWASP Non-Human Identity Top 10 | Human actions often create or expose NHI secrets, tokens, and service access paths. |
Define human cyber risk owners, map exposure drivers, and tighten access decisions under governance and least privilege.