For two decades, the answer to "the human side of security" was the same: awareness training. Run the modules, track completion, tick the box. It was a reasonable start. It is no longer enough – because awareness measures whether people were told, and the thing that actually keeps you safe is what they do.
The organisations pulling ahead have made a quiet but profound shift: from running awareness campaigns to running a human risk program. The difference is the difference between sending a memo and changing an outcome.
Awareness versus human risk managementLink to this section
| Awareness training | Human risk program | |
|---|---|---|
| Measures | Completion | Behaviour |
| Cadence | Annual event | Continuous |
| Audience | Everyone, identically | Targeted by actual risk |
| Success looks like | 100% completed | Fewer risky actions over time |
| When someone slips | They failed the quiz | They get help |
Same goal – fewer incidents caused by people. Completely different machine for getting there.
"Human error" is a design problem, not a character flawLink to this section
You've seen the statistic: the overwhelming majority of breaches involve a person. The usual conclusion – people are the weakest link – is both lazy and wrong. People are the largest attack surface, which is not the same thing. The same workforce that can click the bad link is also the sensor network that spots the scam, the AI tool's only sanity check, and the reason your controls work at all.
Treat your people as the problem and they'll hide their mistakes. Treat them as the control and they'll tell you when something's wrong.
The job isn't to shame the human out of the loop. It's to design the loop so the safe action is the easy one.
How a human risk program actually runsLink to this section
Identify the behaviours that carry riskLink to this section
Not knowledge – behaviour. Who clicks simulations, reuses passwords, ignores MFA prompts, ships data to unapproved tools, skips approvals when rushed. These are observable, and they're where incidents are born.
Segment by risk, not by org chartLink to this section
Most people are already low-risk and don't need more training; they need to be left alone. A small group accounts for most of the exposure. Find them and focus there – quietly, supportively, without a public leaderboard of shame.
Intervene in proportionLink to this section
Match the response to the risk. A nudge in the moment for a minor slip. A short, specific coaching session for a repeated one. Tighter technical guardrails where behaviour won't move on its own. The point is help, not punishment.
Measure the curve, not the certificateLink to this section
Track repeat-click trends, reporting rates, time-to-report, and whether risky actions drop after you intervene. A number that moves is worth more than a hundred completion percentages that don't.
The new behaviour on the list: working with AILink to this section
Human risk used to mean phishing, passwords, and data handling. Now it also means judgement around AI – knowing what not to paste into a chatbot, catching a confidently wrong answer, keeping a human accountable for AI-assisted work. Your people are the control plane for every AI tool you adopt, which makes their judgement more load-bearing than ever, not less.
Leadership sets the temperatureLink to this section
A human risk program lives or dies on culture, and culture is set at the top. If leaders treat a reported mistake as a near-miss to learn from, reporting goes up and incidents surface early. If they treat it as a failure to punish, everything goes underground and you find out about the breach from someone else. You can't buy that culture. You can only model it – starting with how you react the next time someone says "I think I messed up."