As the digital landscape becomes increasingly treacherous, the traditional focus on “security awareness” is proving to be an outdated relic of a simpler era. Matilda Bailey, a specialist in networking and next-generation security solutions, argues that we are at a critical juncture where the human element must be managed as a dynamic risk rather than a static compliance checkbox. With cybercrime losses reaching staggering new heights, Bailey advocates for a shift toward Human Risk Management (HRM)—a data-driven strategy that prioritizes actual behavior change over the hollow satisfaction of training completion rates. By integrating behavioral signals from core technical systems and tailoring interventions to specific roles, organizations can finally address the root causes of vulnerabilities.
This conversation explores the fundamental shift from awareness to behavior, the integration of advanced security telemetry to capture human risk, and the practical steps leaders can take to transform security from a punitive hurdle into a proactive business enabler.
While traditional completion rates suggest a secure perimeter, breaches continue to rise alongside billions in financial losses. How do you identify specific high-risk behaviors like improper data handling or weak password usage, and what steps do you take to turn these observations into real-time interventions?
The hard truth is that an employee sitting through a mandatory video once a year does very little to stop a sophisticated social engineering attack. We have to look at the data provided by the FBI, which shows a staggering $20.877 billion in financial losses due to cybercrime—a 397% increase over just five years. To identify high-risk behaviors, we move away from “awareness” and toward active “detection,” which involves monitoring whether users are actually utilizing their VPNs or if they are attempting to email highly classified information to external accounts. When we see a user consistently failing to use strong passwords or bypassing security protocols to finish a task faster, we don’t just put them on a list for more generic training. Instead, we trigger “nudges”—real-time, helpful interventions that pop up at the exact moment the risky behavior occurs, explaining the danger and providing the correct path forward. This turns a potentially catastrophic human error into a teachable moment that reinforces the security posture without the friction of a formal classroom setting.
Human-enabled cybercrimes, including business email compromise and phishing, now account for significant global losses. How do you distinguish between tactical, operational, and strategic metrics when reporting to the board, and which specific data points best demonstrate a reduction in actual business risk?
When I speak to the board, I have to translate technical noise into the language of business risk, especially since human-enabled activities like business email compromise and phishing cumulatively cost companies roughly $3.3 billion. At the tactical level, we look at the day-to-day data points, such as how many phishing attempts were caught by users versus how many were reported to the security operations center. Operational metrics then take that data and help the CISO manage program performance, looking at trends in behavioral improvement across different departments or regions. The most critical layer is the strategic one, where we present the board with a high-level view of how our human risk management efforts are reducing the company’s overall exposure. Rather than showing them training completion percentages, which are essentially irrelevant to risk, we show them the reduction in successful unauthorized data transfers or the measurable increase in the speed of threat detection by the workforce.
Moving toward human risk management requires a significant shift in technology and strategy. How do you integrate endpoint detection and identity management systems to capture behavioral signals, and what challenges arise when trying to establish a baseline for an organization’s security culture?
This shift is not just “Security Awareness 2.0”; it is a fundamental re-engineering of our technical stack to prioritize the human signal. We integrate tools like Endpoint Detection and Response (EDR), Data Loss Prevention (DLP), and Identity and Access Management (IAM) to create a holistic view of how an employee interacts with the network. For example, if an IAM system shows a login from an unusual location followed immediately by a DLP alert for sensitive file movement, that is a behavioral signal we can act on. The primary challenge in establishing a baseline is that security culture is often invisible until something goes wrong, making it difficult to measure the “starting point” of human risk. We have to start by defining what “normal” looks like for different roles and then use that data to set realistic, incremental targets for improvement. It requires a lot of technical heavy lifting to ensure these systems talk to each other, but without that integration, you are essentially flying blind.
Scheduled annual training often fails to address the specific risks posed by senior staff or those with high-level access. How do you customize nudges and policy interventions for these specific roles, and what metrics prove that this targeted approach is more effective than mandatory checkbox programs?
Senior leaders are often the most targeted individuals in an organization because they hold the “keys to the kingdom,” yet they are also the most likely to view generic training as a distraction from their high-pressure roles. We customize our approach by acknowledging their specific risk profile—such as their access to sensitive financial data or strategic intellectual property—and delivering interventions that are brief, context-aware, and highly relevant. If a senior executive is targeted by a deepfake or a sophisticated spoofing attempt, the intervention should focus on the specific indicators of that threat rather than basic password hygiene. The metrics that prove this works are found in the “detection quality” and the “reduction of security friction” for these high-value targets. When we see a measurable drop in successful social engineering attacks against our leadership team, despite an increase in the volume of attempts, we know that targeted, behavior-based management is outperforming the old checkbox model.
Security programs often suffer from a negative internal image when they are seen as punitive or disruptive. How do you design interventions that are helpful rather than punishing, and can you share a step-by-step process for using data to improve both security posture and employee productivity?
To fix the image problem, security must stop being the “department of No” and start being a partner in safe productivity. We design interventions that feel like a “safety net” rather than a “handcuff,” ensuring that when a user makes a mistake, the system helps them correct it instantly rather than reporting them for punishment. My five-step process starts with defining goals that align with the business, such as reducing risk avoidance or improving detection quality. Next, we prioritize pragmatic, useful metrics that drive actual change, followed by implementing data collection mechanisms that link our security controls directly to user behavior. The fourth step is to report these insights with context, using visualizations that tell a story of improvement rather than just listing failures. Finally, we establish baselines and targets so that every employee can see their progress, which builds a culture of proactive risk management and actually makes people more confident—and thus more productive—in their digital workflows.
What is your forecast for human risk management?
I forecast that within the next few years, the concept of “security awareness training” as a standalone, annual event will completely vanish, replaced by continuous, automated Human Risk Management platforms that are as foundational to the CISO as a firewall. We are moving toward a future where security is woven into the very fabric of the employee experience, using AI and real-time telemetry to predict and prevent human error before it manifests as a breach. This shift will finally allow security leaders to move away from the “policing” mindset and toward a role where they are enabling the workforce to navigate a hostile digital world with total confidence. Ultimately, HRM will be the bridge that closes the gap between technical security measures and the unpredictable reality of human behavior, transforming employees from the weakest link into the most effective line of defense.
