Human risk
Building a human-risk score leadership trusts
Turn scattered signals — clicks, reports, training, real incidents — into one number you can report to the board and actually shrink over time.
Security leaders are increasingly asked a simple question: 'How risky are our people, and is it getting better?' A human-risk score answers it — if you build it on the right signals and keep it honest.
Why a single score
Boards don't want a spreadsheet of training completion rates. They want a trend line. A single, well-constructed score turns dozens of noisy signals into one number that's easy to communicate and, crucially, easy to hold a program accountable to.
What goes into it
- Phishing behaviour — click rates, report rates, and time-to-report.
- Training — completion, but weighted by recency and role risk.
- Real-world signals — actual reported threats and risky actions.
- Exposure — credentials found in breaches, privileged access, role sensitivity.
Make it trustworthy
A score is only useful if people believe it. Be transparent about how it's calculated, segment it by team so owners can act, and never use it to punish individuals — that just teaches people to hide risk. Tie it to interventions, then show the score moving as those interventions land.
Done well, a human-risk score becomes the spine of your awareness program: a number that focuses effort, proves progress, and gives leadership the confidence that human risk is being managed, not just hoped about.