Published on: 2025-10-30

Intelligence Report: Remove Ambiguity Measure Human Risk Management Metrics That Matter – Forrester.com

1. BLUF (Bottom Line Up Front)

The intelligence suggests a critical shift in human risk management (HRM) metrics from traditional compliance-based measures to those emphasizing behavioral change and risk reduction. The most supported hypothesis is that adopting HRM metrics that focus on actual behavior change will significantly enhance security outcomes. Confidence level: Moderate. Recommended action is to prioritize the development and implementation of metrics that align with strategic security goals and demonstrate tangible risk reduction.

2. Competing Hypotheses

1. **Hypothesis A**: The transition to HRM metrics focused on behavioral change will lead to substantial improvements in security posture and risk reduction.
2. **Hypothesis B**: The focus on HRM metrics emphasizing behavioral change will face significant resistance and may not yield the expected improvements due to entrenched reliance on traditional metrics like training completion rates.

Using Analysis of Competing Hypotheses (ACH), Hypothesis A is better supported by the intelligence due to the emphasis on the inadequacy of current metrics and the push for metrics that demonstrate real-world impact on security.

3. Key Assumptions and Red Flags

– **Assumptions**: It is assumed that behavioral change metrics can be accurately measured and will directly correlate with risk reduction. Another assumption is that organizations are willing to shift from traditional metrics to new HRM metrics.
– **Red Flags**: Potential resistance from organizations due to the complexity of measuring behavioral change and the entrenched nature of current metrics. There is also a risk of insufficient data to support new metrics.

4. Implications and Strategic Risks

The shift towards HRM metrics focused on behavioral change could lead to a paradigm shift in security practices, potentially reducing cyber threats. However, failure to adopt these metrics could result in continued reliance on ineffective measures, leaving organizations vulnerable. The economic implications include potential cost savings from reduced breaches, while psychological impacts involve changing organizational culture towards proactive risk management.

5. Recommendations and Outlook

• **Action**: Develop a comprehensive framework for HRM metrics that accurately measure behavioral change and align with strategic security objectives.
• **Best Case Scenario**: Successful implementation of HRM metrics leads to significant risk reduction and enhanced security posture.
• **Worst Case Scenario**: Resistance to change results in continued reliance on ineffective metrics, increasing vulnerability to cyber threats.
• **Most Likely Scenario**: Gradual adoption of HRM metrics with mixed results, requiring ongoing refinement and adjustment.

6. Key Individuals and Entities

Chiara Bragato and Jeff Pollard are mentioned as key contributors to the research and development of HRM metrics.

7. Thematic Tags

cybersecurity, human risk management, behavioral change, security metrics