Mimecast Logo
Get a Quote
    Cyber Resilience Insights
    All Topics
    Email and Collaboration Threat Protection
    Insider Risk Management
    Security Awareness Training
    Data Compliance and Governance
    Threat Intelligence
    Insider Risk Management & Data Protection

    Evolving to human risk management

    From awareness to outcomes: why HRM is still the future of cybersecurity

    by Michael Rowinski

    Key Points

    • Most organizations run security training, but risky behaviors persist with just 8% of employees driving 80% of security incidents. The real gap is between knowing what's risky and actually changing behavior.
    • Human risk management focuses on identifying, quantifying, and reducing human-driven risk through four interconnected domains: culture, technology, compliance, and measurable outcomes.
    • With rising concerns around collaboration tool attacks and AI-driven data leaks, organizations need to address the human element with the same rigor they apply to technical defenses.

    Security awareness training has been a staple of cybersecurity programs for years. Most organizations run it, most employees complete it, and most compliance boxes get checked. But here's the uncomfortable truth: awareness alone isn't moving the needle. Insider threats, credential misuse, and human error now drive the majority of security incidents, and just 8% of employees are responsible for 80% of them. If training were enough, those numbers would look very different by now.

    The gap between knowing and doing is where organizations are most exposed. Employees may understand that clicking suspicious links is risky, but without the right culture, processes, and support systems in place, risky behaviors persist. That's why forward-thinking security leaders are shifting from traditional security awareness toward something more comprehensive: human risk management.

    What is human risk management?

    Human risk management (HRM) is a holistic approach to cybersecurity that goes beyond teaching people what threats look like. It focuses on identifying, quantifying, managing, and ultimately reducing the risk that human behavior introduces to an organization. Where traditional models stop at compliance or awareness, HRM centers on monitoring the behaviors of the users who pose the most risk, and driving measurable outcomes through continuous improvement.

    Think of it this way: awareness tells people what to do. HRM builds the environment, the tools, and the feedback loops that help them actually do it. Also, HRM proves it's working.

    Why the shift matters now

    The threat landscape is evolving fast, and human-targeted attacks are evolving with it. According to Mimecast's The State of Human Risk 2026 report, 71% of organizations expect negative business impact from collaboration tool attacks this year, with 45% already experiencing increased cyberattacks on platforms like Teams, Slack, and Zoom. Meanwhile, 80% of organizations are concerned about sensitive data leaking through generative AI tools, and 60% still lack specific strategies to address AI-driven threats, even as 98% are already using AI in their defenses.

    The financial stakes are staggering. Organizations experience an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident, and 66% expect insider-related data loss to increase over the next year. Yet, only 28% of organizations combine regular security awareness training with continuous monitoring for policy violations. That disconnect between awareness and action is precisely where breaches happen. The challenge isn't just about spending more. It's about spending smarter, and that means addressing the human element with the same rigor applied to technical defenses.

    The four domains of HRM

    Mimecast Human Risk Management provides a structured framework for organizations looking to make this shift. It organizes HRM capabilities across four interconnected domains:

    Culture is the foundation. This domain looks at how security behaviors, values, and expectations are woven into daily routines and team practices. It goes beyond training frequency to examine whether employees feel psychologically safe reporting mistakes, whether leadership visibly supports secure behaviors, and whether security is treated as a shared responsibility rather than an IT problem. A strong security culture is one where doing the right thing is simply how work gets done.

    Technology serves as the enabler. This domain assesses whether security tools are integrated across key business systems and whether behavior data is being collected, analyzed, and acted upon. At higher maturity levels, organizations use behavioral analytics and automation to deliver just-in-time interventions, timely nudges at the moment of risk rather than generic reminders delivered months after the fact.

    Cybersecurity compliance ensures that policies are not only documented but actively maintained, enforced, and adapted. This includes managing human risk introduced by third parties and vendors, automating compliance monitoring, and maintaining audit readiness. A full 91% of organizations face governance and compliance challenges, and 36% still rely on manual monitoring processes, creating inevitable bottlenecks as data volumes surge.

    Outcomes and measurement is where HRM proves its value. This domain tracks whether interventions are actually changing behavior and reducing incidents. It moves beyond vanity metrics like training completion rates to focus on meaningful indicators: reduction in human-related incidents, behavior change over time, and quantified business value from HRM investments.

    A journey, not a destination

    Mimecast HRM defines five levels, from reactive and ad hoc at Level 1 to a fully resilient, predictive security culture at Level 5. Most organizations won't leap to the top overnight, and they don't need to. Mimecast HRM is designed for incremental progress, identifying where gaps exist, setting achievable goals, and building capabilities over time.

    What matters most is starting with an honest assessment. Where are your lowest scores? Those are likely the areas where focused investment will have the greatest impact. Progress in one domain often accelerates progress in others. Better technology provides better data for measurement. A stronger culture makes compliance and technology adoption more effective.

    Taking the next step

    Human risk management represents a fundamental shift in how organizations think about their people and security. It's not about blaming employees for clicking the wrong link. It's about building the systems, culture, and processes that make secure behavior the default, and proving it with data.

    The organizations that embrace this shift will be better positioned to manage risk proactively, demonstrate clear ROI to leadership, and build genuine resilience in an increasingly complex threat environment.

    Ready to find out where your organization stands and how it can benefit from Mimecast Human Risk Management? Request a demo today.

    All data points referenced in this post are sourced from Mimecast’s The State of Human Risk 2026 report.

    Related Articles

    Insider Risk Management & Data Protection
    6 insider threat behaviors your solution must spot
    Insider Risk Management & Data Protection
    5 insider risk wins: turn security spend into business value
    Insider Risk Management & Data Protection
    The state of human risk in 2026: when trusted employees become the threat

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Ready to secure the human layer? REQUEST A DEMO
    Back to Top