Cybersecurity guru Bruce Scheier is often quoted as saying, “People are the weakest link in the security chain.” No more accurate words have ever been spoken about cybersecurity. You can spend millions of dollars on firewalls, endpoint security tools, access controls, and data encryption, but one employee can cause a catastrophic security breach, simply by downloading a malicious file or clicking on a rogue link.
Industry research indicates that 70% to 90% of breaches are the result of employees succumbing to social engineering, making skills-based errors, sharing sensitive data with shadow IT services, or through a compromise of a privileged user. Oh, and things seem to be getting worse as adversaries adopt sophisticated AI-based attacks like deepfakes.
Of course, this problem is well known. As a countermeasure, organizations spent around $6 billion on security awareness training (SAT) in 2025. While some firms did so as a best practice, most did so to comply with industry or government regulations such as HIPAA (requires a “security awareness and training program” for all workforce members per 45 CFR § 164.308), GDPR (article 39(1)(b) tasks data protection officers with “awareness-raising and training of staff”), PCI (requirement 12.6 mandates a formal program to make all personnel aware of cardholder data security), and many others.
Industry research indicates that SAT expenses will increase by an estimated 15% per year as organizations continue to invest in what Gartner calls “security behavior and culture programs.”
The security awareness training paradox
While security awareness training has become a CISO and HR staple, it continues to have questionable efficacy. Some organizations treat SAT as a checkbox exercise for regulatory compliance, with little regard to its value. Employees exacerbate this folly through “compliance theater,” clicking through tutorials as fast as possible to get them out of their way. Even studious employees can suffer from the “forgetting curve,” a psychological model that illustrates how information is lost over time when there is no attempt to retain it.
In some cases, SAT can even be counterproductive. In some studies, employees who receive high grades with security awareness training become overly confident and complacent with their security behavior.
In my humble opinion, there’s a disillusioning situation here I call the security awareness training paradox. Despite regulatory compliance requirements and significant investment, SAT seems to deliver marginal benefits.
Clearly, SAT is broken — even with peripheral improvements like synthetic phishing tools. So, what’s needed? Over the next few years, organizations should shift from static/sporadic security training to an emerging discipline called human risk management (HRM).
What is human risk management?
HRM is defined as a cybersecurity strategy that identifies, measures, and reduces the risks caused by human behavior. Simply stated, security awareness training is about what employees know; HRM is about what they do (i.e., their actual cybersecurity behavior).
To be more specific, HRM integrates into email security tools, web gateways, and identity and access management (IAM) systems to identify human vulnerabilities. Furthermore, it measures risk using behavioral data and pinpoints an organization’s riskiest users. HRM then seeks to mitigate these risks by applying targeted interventions such as micro-learning, simulations, or automated security controls. Finally, HRM monitors behavioral changes so organizations can track progress.
There’s a misconception out there that HRM and SAT are different animals, so organizations interested in HRM must budget for both. Wrong. In fact, leading HRM solutions from vendors such as Fable Security, KnowBe4, and Mimecast offer HRM products chock full of standard SAT material. They even provide specific training support for regulatory compliance requirements.
Democratizing security training with AI
I know what you’re thinking. HRM sounds like the latest buzz term coined by the cybersecurity industry marketing glitterati. Yeah, kind of true, but generic HRM has an AI-based partner riding shotgun. And unlike general industry AI hype, there’s research and expert agreement that AI is well positioned to change education as we know it.
In his book Co-Intelligence: Living and Working with AI, University of Pennsylvania professor Ethan Mollick suggests that AI will deliver personalized learning at scale where AI acts as a “Socratic tutor” that “nudges” students toward excellence, provides simulations and role plays, and offers persona-based learning. In an HRM context, a “nudge” can be thought of as continuous micro-learning. A user clicks on a malicious link and is guided toward an appropriate security lesson aimed at reinforcing good hygiene and behavior.
Armed with AI, HRM will also understand habits and ways of learning. For example, Alice tends to learn best through written descriptions while Bob prefers watching videos. Leading HRM tools can also role play with users, gamifying cybersecurity training and playing on their competitive nature. Thus, HRM (with AI) has the potential to democratize expertise in a new and unique way.
From an ROI perspective, HRM offers a much more granular approach to cyber-risk mitigation than standard SAT. CISOs and HR managers can report on improved cyber hygiene and behavior, rather than how many employees have been trained and past generic tests. Repeat offenders are not only identified but also provided with personalized training tools and attention. Ultimately, HRM makes it possible to show a direct correlation between training and a reduction in actual security incidents.
To quote Aristotle, “We are what we repeatedly do. Excellence, then, is not an act, but a habit.” HRM is intended to personalize training to change behavior and habits. If Aristotle were a CISO, he’d surely see the logic in moving from generic SAT to HRM.