A record of how a user has responded to prior phishing simulations or security prompts. It can help tailor training, but it is also sensitive behavioural data that should be restricted, audited, and retained only as long as it serves a defined awareness or risk-management purpose.
Expanded Definition
Susceptibility history is the record of how a user responds to prior phishing simulations, suspicious-link warnings, password reset challenges, or other security prompts. In NHI and workforce security programs, it is used as behavioural context, not as a standalone judgment of trustworthiness. That distinction matters because the data can improve targeting, but it can also become sensitive employee-monitoring evidence if collected too broadly or retained without purpose.
Usage in the industry is still evolving. Some programs treat susceptibility history as a training input for awareness coaching, while others fold it into risk scoring, campaign segmentation, or conditional friction. The safest interpretation is narrow: it should inform security education and awareness controls, not replace access governance or formal identity assurance. The NIST Cybersecurity Framework 2.0 supports this kind of risk-informed handling by tying telemetry to governance and continuous improvement, but it does not prescribe a universal retention model for behavioural records.
The most common misapplication is treating a single failed simulation as a permanent label, which occurs when teams use short-term campaign results to justify long-term profiling or punitive action.
Examples and Use Cases
Implementing susceptibility history rigorously often introduces privacy and labour-relations constraints, requiring organisations to weigh more targeted training against the cost of collecting and governing behavioural data.
- A security team segments recurring phishing campaign participants into a tailored coaching track, using prior responses to choose message style, cadence, and follow-up support.
- A help desk workflow flags users who repeatedly approve unexpected MFA prompts, so training can focus on prompt fatigue and verification habits rather than generic awareness content.
- An awareness program retains simulation results only for a defined period, then aggregates them into anonymous trend reporting to avoid unnecessary exposure of personal performance records.
- A fraud response team correlates susceptibility history with other signals, such as repeated credential resets or suspicious email engagement, to prioritise outreach after a suspected account takeover.
- Behavioural context is compared against controls described in the Ultimate Guide to NHIs when organisations need to separate awareness telemetry from identity governance records.
Because the meaning of these records varies across vendors and internal policy models, organisations should document who can view them, why they are retained, and how they affect downstream decisions.
Why It Matters in NHI Security
Susceptibility history matters because it sits at the boundary between security improvement and behavioural surveillance. If it is overexposed, teams may create internal privacy risk, erode trust in awareness programs, or retain sensitive performance data long after it is useful. If it is underused, repeated user error can go unnoticed and phishing resilience remains flat. In NHI-adjacent environments, that matters because humans often remain the path attackers use to reach service accounts, tokens, and other secrets. NHIMG notes that Ultimate Guide to NHIs reports 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which underscores how human-driven compromise can cascade into machine identity abuse.
Practitioners should treat susceptibility history as governed security telemetry: access-limited, retention-bound, and reviewed for purpose limitation. It should support coaching, trend analysis, and risk-informed awareness design, while avoiding automated punishment or permanent profiling. Used properly, it helps security teams target the right intervention to the right person at the right time.
Organisations typically encounter the operational impact only after a repeat click, repeated prompt approval, or account-takeover investigation, at which point susceptibility history becomes unavoidable to explain and remediate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-03 | Behavioural risk data should be governed as part of enterprise risk management. |
| NIST CSF 2.0 | PR.AT-01 | Awareness and training controls rely on user response data to improve outcomes. |
| NIST AI RMF | AI risk governance emphasizes data governance, transparency, and misuse prevention. |
Define retention, access, and use rules for susceptibility history within risk governance.
Related resources from NHI Mgmt Group
- How should teams respond when a GitHub personal access token is exposed in an AI chat history?
- Why do secrets in Git history create long-term risk?
- How should organisations respond when a secret appears in Git history?
- Who is accountable when an exposed AI agent gateway leaks secrets and chat history?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
