Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Human cyber risk management: why awareness training is not enough


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Security awareness programs often track completions and simulation failures instead of reducing risky behavior, while phishing, vishing, and smishing succeed by exploiting workload, role, access, and time pressure, according to Proofpoint. The real gap is treating human behavior as a governed risk domain, not a compliance task, because resilience depends on measurable controls, context, and intervention.

NHIMG editorial — based on content published by Proofpoint: human cyber risk, awareness training, and resilience management

Questions worth separating out

Q: What fails when awareness training is treated as the main human risk control?

A: Training fails as a primary control when organisations mistake completion for resilience.

Q: Why do targeted phishing campaigns still work against mature organisations?

A: Targeted phishing works when the attacker is quiet, context-aware, and able to use legitimate credentials or trusted workflows after initial access.

Q: How can security teams measure whether human resilience is actually improving?

A: Measure behavioural outcomes, repeat susceptibility, and the reduction of risky actions in high-value cohorts.

Practitioner guidance

  • Replace completion KPIs with outcome metrics Track whether risky behaviours, escalation events, and repeat susceptibility are falling in the cohorts that matter most, not just whether training was completed.
  • Segment human risk by role and privilege Build profiles that combine access level, business function, and threat targeting so privileged users, approvers, and support staff receive different safeguards and review frequency.
  • Add verification controls for high-impact requests Require stronger checks for payment changes, MFA resets, and access approvals that are common social engineering targets.

What's in the full article

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • The maturity model progression from obligation training to resilience, including how each level changes governance ownership and control design.
  • Examples of how behavioural intelligence can be used to tailor interventions for different roles, access levels, and exposure patterns.
  • The relationship between human resilience management and enterprise risk oversight, including how to report outcomes beyond simulation rates.
  • The vendor's framing of where awareness programmes tend to plateau and what an integrated operating model needs to replace them.

👉 Read Proofpoint's analysis of human cyber risk and resilience management →

Human cyber risk management: why awareness training is not enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Human cyber risk only becomes manageable when organisations treat it as a governed control domain. Proofpoint's argument is strongest where it rejects the idea that completion metrics equal risk reduction. In practice, a resilient programme needs exposure-based oversight, not just education. That makes the problem closer to IAM governance than to communications or compliance alone. Practitioner conclusion: measure and govern human risk as an enterprise control, not a training output.

A question worth separating out:

Q: Who should be accountable for human cyber risk in an organisation?

A: Accountability should sit with the risk owners who control access, workflow design, and user exposure, not with awareness teams alone. Human cyber risk crosses IAM, PAM, security operations, and business process ownership. Governance works when the people responsible for decisions also own the controls that reduce the likelihood and impact of social engineering.

👉 Read our full editorial: Human cyber risk is outgrowing awareness training programs



   
ReplyQuote
Share: