Human risk management (HRM) is a cybersecurity discipline focused on identifying, quantifying, and reducing the security risks that originate from human behavior. It evolved from security awareness training in recognition that compliance-based training alone is insufficient to address modern social engineering threats.
What is Human Risk Management?
Human risk management (HRM) is a cybersecurity discipline focused on identifying, quantifying, and reducing the security risks that originate from human behavior. It evolved from security awareness training in recognition that compliance-based training alone is insufficient to address modern social engineering threats. Forrester formally renamed its "Security Awareness and Training" research category to "Human Risk Management" in 2024.
How HRM Differs from SAT
While security awareness training focuses on educating employees about threats, human risk management takes a broader approach: profiling individual employee exposure, continuously testing across all attack channels, providing per-person risk scores, and delivering immediate remediation. HRM treats human risk as a measurable, manageable variable - not a checkbox.
Why Human Risk Management Matters
The category shift from SAT to HRM reflects a fundamental recognition: knowing about threats isn't the same as being resilient to them. Organizations need to measure actual risk, not training completion. They need to test across real attack channels, not just email. And they need to connect human risk data to the broader security stack - feeding into SOC workflows, incident response, and IAM policies.
Frequently Asked Questions
Why did the category shift from Security Awareness Training to Human Risk Management?
Knowing about threats doesn't make people resistant to them. Organizations realized they needed to measure actual vulnerability to attacks, not just track training completion. Human Risk Management treats human risk as a quantifiable variable that can be managed, like technical risk.
What data does human risk management use?
Human risk management combines employee exposure data (public digital footprint), simulation performance across all attack channels (email, voice, SMS, help desk), internal access levels, and threat relevance to create per-employee risk scores.
How is human risk management measured?
Organizations track the percentage of employees in each risk tier, time-to-remediation after failed simulations, improvement in simulation pass rates, and reduction in employee-driven security incidents. The goal is measurable reduction in actual human risk.
Who needs human risk management?
Any organization with people who have access to valuable systems or data. This includes financial services, healthcare, government, manufacturing, and any industry where humans create cyber risk through social engineering exploitation.