How Do You Actually Measure Human Risk In Your Business?

If you can’t measure it, you can’t manage it. It’s a phrase we hear all the time in business, but it’s one that cyber security teams have struggled to apply to people because the emphasis is usually on their cyber tech stack. 

As someone working in cyber security day in and day out, my view is simple: the incidents you see in the headlines aren’t just enterprise problems. If you run or manage an SMB, they should be setting off alarm bells. This isn’t fearmongering; it’s reality. Smaller organisations often face the same threats as large corporations, but without the same budgets, visibility, or internal expertise. 

Even if you have the latest email filters, endpoint protection, and security policies in place, your biggest risk still clicks “open”. That’s because while technology behaves predictably, people don’t. You can configure a firewall, but you can’t configure someone’s judgment when a well-crafted phishing email lands in their inbox. And that’s where Human Risk lives. 

In this article, we’ll look at how to make Human Risk measurable, manageable, and actionable, in such a way that you can actually quantify and express the difference.

What This Blog Covers:

• What Human Risk Actually Is
• Why Many Organisations Still Get It Wrong
• How Human Risk Is Measured
• What Happens If You Don't Start Thinking About Human Risk
• When Metrics Drive Change
• Your First Step Towards Measuring Human Risk: Get Visibility

What is Human Risk?

What exactly do we mean when we talk about Human Risk? In cyber security terms, it’s when a person inside your organisation is either at risk or responsible for a cyber incident. That might mean clicking on a phishing link, responding to a spoofed supplier email, or being manipulated through a convincing social engineering attempt. It’s any point where a person interacts with technology in a way that puts data, systems, or money at risk. 

For years, this was the part of security that remained invisible. We could measure patch cycles, malware infections, and detection times; however, it’s more challenging to measure and correct a person’s behaviour.

And that’s why so many organisations are still struggling today.  

Check out this article for a deeper dive into why your employees are your biggest security risk. 

Why So Many Organisations Still Get It Wrong 

Technology is predictable. Humans are not. You can spend months fine-tuning your security stack, but you still can’t predict how someone will react to an urgent email that looks like it’s from their CEO asking for a payment transfer. And because it’s so unpredictable, many organisations resort to the simplest solution they can manage: a once-a-year security awareness course. It checks the compliance box, but it doesn’t change behaviour or become company culture. 

By the time the next simulated phishing test comes around, the lessons are forgotten, and the same mistakes are made again. In the end, you have recurring cyber incidents involving the same risky users. The result? Cyber incidents keep happening, even in businesses that believe they’re well protected. 

That's why measurement becomes so important: once you can quantify human behaviour, you can start to improve it.

How Human Risk Is Measured?

So, how do you actually measure something as unpredictable as human behaviour?

Today, we can use data to make Human Risk visible. Consider a Human Risk Score: a practical way to see where your biggest risks lie and how they’re changing over time. 

That score is based on several key factors: 

• Role and access level: People in finance or operations are naturally higher risk because of the data they handle. 
• Tenure: The longer someone’s been in the business, the more access and exposure they typically have. 
• Behavioural data: How users interact with phishing simulations, report suspicious messages, and engage with micro-learning. 
• Device and login patterns: Whether users are working securely or taking risks with personal devices and shared networks. 

When you combine these data points, you start to see patterns. In addition to who’s making mistakes, you also get to understand why. 

Phishing simulations play a key role here. They show exactly where a user drops off: did they open the email, click the link, enter data, or report it? Month by month, you can see improvements, pinpoint weaknesses, and show measurable progress. 

And when you have that kind of visibility, human risk becomes a useful metric. 

What Happens If You Don’t Start Thinking About Human Risk

If you ignore Human Risk, it’s not a matter of if you’ll have an incident, but when. In 2025, with AI-powered attacks and increasingly convincing social engineering, someone in your organisation will eventually be targeted. It only takes one distracted click, one casual forward, or one urgent-sounding request to trigger a chain of events that costs time, money, and reputation. 

The good news is, this is one area of cyber security that’s completely within your control to improve if you start paying attention to it now. 

When Metrics Drive Change

Once you start measuring human behaviour, you’ll know where the most change is needed. For example, we’ve worked with clients who discovered, through simulation data, that staff were being tricked into switching communication channels, moving from email to WhatsApp or text, by attackers posing as suppliers. That insight led to immediate policy changes around communication and payment verification, and significantly reduced successful impersonation attempts.

This is the real value of Human Risk Management.

Instinct vs Data 

Of course, security isn’t only about dashboards and reports. Instinct still matters. One of the goals of Human Risk Management is to help people trust their instincts more. We want employees to feel confident saying, “Something doesn’t look right here.” But instincts alone won’t protect you. 

Data helps shape those instincts, turning gut feelings into informed decisions. For instance, phishing simulations might show that a user’s instinct told them an email was legitimate when it wasn’t. Over time, micro-learning and feedback help sharpen that instinct. Next time, they’ll spot the subtle clues they missed before. 

That’s how security culture evolves in organisations. Not through fear, but through repetition, reflection, and measurable improvement. And once that mindset takes root, the next question becomes: how do you scale it? 

The First Step: Get Visibility 

If you don’t know what’s going on, you can’t fix it. The first step in managing Human Risk is simply knowing where you stand. 

Start small by mapping out the basics: 

• Which teams handle the most sensitive data? 
• How often do they receive or respond to external requests? 
• Do you have a clear process for reporting suspicious messages or verifying unusual requests? 

Even this basic visibility can uncover patterns you didn’t expect. 

To make that process easier, we’ve created a Human Risk Self-Assessment Checklist.

It’s a quick, practical self-assessment that helps IT managers and business leaders identify their biggest human risk gaps before investing in anything more advanced. 

And if you’d prefer a more guided approach, my team and I offer a Complimentary Cyber Security Risk Assessment. It’s designed to help you benchmark your current Human Risk Score and map out the next steps for improvement. 

Your Next Step Towards Measuring Human Risk

Human Risk isn’t something you can eliminate completely, but it is something you can understand, measure, and reduce. 

By now you are armed with some level of human risk awareness. Use this awareness to carefully decide what actions to take. And if you’d like a more expert-led view, our free assessment is there when you’re ready.