Human risk management is replacing phishing click-rate proxies

At a glance

What this is: This is an analysis of why conventional phishing awareness training and click-rate metrics are failing, and how behaviour-based human risk measurement changes the governance model.

Why it matters: It matters because IAM and security teams need defensible, measurable ways to govern human susceptibility, especially when social engineering remains a dominant breach path across broader identity programmes.

By the numbers:

• The human element, including social engineering, error, or misuse, is involved in approximately 60% of breaches.

👉 Read Abnormal AI's analysis of AI-native human risk management and phishing scoring

Context

Human risk management is the practice of measuring and reducing the likelihood that people will be manipulated into unsafe security behaviour. In this article’s framing, the problem is not training volume but the governance model behind it: static simulations and completion rates do not tell leaders whether the workforce is actually less vulnerable to phishing, BEC, or vendor fraud.

That gap matters to IAM and security programmes because social engineering is still a reliable entry path into enterprise identity ecosystems. When attackers exploit trust relationships rather than technical flaws, security awareness becomes part of identity governance, not just a training exercise.

Key questions

Q: How should security teams measure phishing risk beyond click rates?

A: Use layered behavioural signals instead of a single click metric. Track opens, credential submissions, replies, and tactic-specific susceptibility over time so you can segment risk by role and scenario. That gives security teams a more defensible basis for coaching, reporting, and board conversations than completion rates or one-off campaign results.

Q: Why do BEC and vendor fraud simulations matter for IAM programmes?

A: They test whether employees will act on a fraudulent request inside a real business workflow, which is where many identity and approval failures surface. IAM programmes should care because those attacks exploit trust, not just email hygiene. Simulations that mirror actual approval paths expose process weaknesses that generic phishing templates miss.

Q: What do security teams get wrong about phishing awareness training?

A: They often assume broad training completion equals reduced risk. In practice, awareness content is only useful if it changes behaviour in the moments that matter. Teams should evaluate whether training reduces susceptibility in the roles and scenarios most likely to be targeted, not whether everyone finished the same module.

Q: How can organisations tell if human-risk management is working?

A: Look for downward trends in behavioural susceptibility, improved performance in realistic simulations, and better targeting of coaching to higher-risk groups. If the programme only reports attendance or click rates, it is measuring activity, not security improvement.

Technical breakdown

Why click-rate metrics fail as a security control

Click rates reduce a complex behavioural problem to a binary outcome. That makes them easy to report, but weak as a control signal, because phishing susceptibility is influenced by context, role, prior exposure, and the realism of the lure. A better model uses layered signals such as opens, credential submission, reply behaviour, and tactic-specific susceptibility to build a risk profile over time. That shifts the question from whether an employee clicked once to how likely they are to fall for a given attack pattern under realistic conditions.

Practical implication: replace campaign pass-fail reporting with continuous behavioural scoring that can be trended, segmented, and acted on.

How BEC and VEC simulations mirror real fraud paths

Business email compromise and vendor email compromise work because they do not depend on malware, links, or technical exploit chains. They use relationship data, business context, and urgent language to trigger action from a legitimate employee. Text-only simulations are therefore closer to the real threat than traditional phishing templates, because they test whether people will respond to a fraudulent request that looks operationally normal. This is especially relevant where finance, procurement, and executive assistants sit close to high-value workflows.

Practical implication: include text-only fraud simulations in training programmes for roles that process approvals, payments, and vendor changes.

What AI-native human risk management changes in practice

AI-native human risk management uses behavioural data to personalise coaching and reduce manual campaign administration. The technical shift is from periodic, one-size-fits-all exercises to continuous signal collection and targeted intervention. That does not make the process autonomous in the identity sense; it remains a governance system for human behaviour. The value is in replacing broad assumptions about workforce readiness with evidence about who is at risk, which tactics are working, and where follow-up is needed.

Practical implication: use adaptive coaching to target higher-risk cohorts instead of repeating the same annual training for everyone.

NHI Mgmt Group analysis

Click-rate training is a proxy that has outlived its governance value: Measuring phishing readiness by who clicked or completed a module was always a simplification, and it now obscures more than it reveals. The underlying assumption was that a narrow simulation outcome could represent operational resilience. That assumption breaks when adversaries use varied, context-aware social engineering that does not map cleanly to a single click event. The implication is that human-risk governance has to move from attendance metrics to behavioural evidence.

Text-only fraud simulations are the right test for relationship-based attacks: BEC and VEC succeed because they exploit trust, timing, and business process familiarity rather than malicious payloads. That makes them a better benchmark than attachment-led phishing for teams that manage approvals, vendor onboarding, and payment workflows. The field should stop treating social engineering as a generic awareness problem and start treating it as a control-testing problem across business processes.

Behavioural scoring is a more defensible human-risk model than annual training completion: Risk segmentation, susceptibility by tactic, and trend analysis give leaders something they can manage over time. This is closer to identity governance than awareness theatre because it creates an evidence trail that boards can question and security teams can act on. Practitioners should expect human-risk programmes to be judged on measurable reduction, not content consumption.

Human risk management now sits inside the broader identity security conversation: Once social engineering is understood as an identity problem, the boundary between IAM, security awareness, and fraud prevention becomes much thinner. That convergence matters because the same trust relationships used in workforce identity are exploited in BEC, vendor impersonation, and account takeover. Practitioners should align human-risk measurement with identity controls rather than leave it isolated in training operations.

From our research:

• The human element, including social engineering, error, or misuse, is involved in approximately 60% of breaches, according to Verizon DBIR.
• That is why identity and awareness programmes cannot stop at completion metrics if the organisation wants measurable reduction in exposure.
• For a broader NHI lens on how identity failures compound across machine and human contexts, see 52 NHI Breaches Analysis.

What this signals

Human-risk programmes are becoming part of identity governance, not a standalone training activity. When social engineering drives a large share of breaches, the question shifts from how many employees completed training to which workflows remain easiest to manipulate. Security leaders should expect boards to ask for evidence of behavioural change, not module counts.

Behavioural scoring is the named concept that matters here: it turns opens, replies, credential submissions, and tactic-specific susceptibility into a control signal rather than a vanity metric. That matters because the same measurement logic can be extended into vendor fraud, executive impersonation, and approval-path abuse across the identity stack.

With 52 NHI Breaches Analysis showing how identity failures compound across the stack, the human side of identity risk should be managed with the same discipline as machine access and privilege. That means tighter segmentation of coaching, clearer accountability for high-risk workflows, and reporting that connects behaviour to breach reduction.

For practitioners

• Replace binary phishing metrics Track opens, credential submission, reply behaviour, and tactic-specific susceptibility so security teams can see how risk changes by employee and by scenario.
• Build role-specific simulations Use manager, finance, procurement, and vendor-facing scenarios that reflect the actual requests those teams receive in daily operations.
• Prioritise follow-up by risk segment Focus coaching on cohorts with elevated behavioural risk instead of sending the same remediation content to the full workforce.
• Treat human-risk data as governance evidence Present trend lines and segment comparisons to executive stakeholders so the programme can be evaluated on measurable reduction rather than training completion.

Key takeaways

• Phishing awareness programmes that rely on completion rates and click rates are measuring activity, not resilience.
• Behavioural scoring gives security teams a more defensible way to identify who is actually vulnerable to phishing, BEC, and vendor fraud.
• The practical move is to align human-risk measurement with identity governance so coaching, reporting, and escalation are based on real risk signals.

Key terms

• Human Risk Management: Human Risk Management is the practice of measuring and reducing the likelihood that employees will make unsafe security decisions under real attack conditions. It goes beyond awareness training by using behavioural evidence, role context, and trend analysis to target coaching where it will change outcomes.
• Phishing Risk Scoring: Phishing Risk Scoring is a behavioural measurement method that assigns risk based on how a person interacts with simulated or real phishing cues. It is more useful than click-rate reporting because it can combine opens, replies, credential submissions, and tactic-level susceptibility into one governance view.
• Business Email Compromise: Business Email Compromise is a fraud pattern where attackers impersonate trusted people or entities to trigger payments, data sharing, or process changes. It often succeeds without malware or links because the attacker is exploiting business context, trust, and urgency rather than technical weakness.
• Vendor Email Compromise: Vendor Email Compromise is a social engineering attack that targets relationships with suppliers or external partners to redirect payments or obtain sensitive information. It matters because it exploits routine business workflows and can bypass suspicion when the message matches normal procurement or account-management behavior.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: AI-powered human risk management and phishing risk scoring. Read the original.