Employee risk scores were supposed to give security teams a signal they could act on. Failed phishing simulations, uncompleted security trainings, poor quiz results – these are all critical inputs that should help security teams create accurate risk scores that identify which employees pose the greatest security risk to the organization.

Instead, leading security teams have discovered something counterintuitive: The “lowest risk” employee according to Security Awareness Training (SAT) metrics might actually be your greatest security liability. 

Security teams were right to identify behavior as a critical factor for understanding risk. But behavior alone isn’t enough to accurately assess employee risk. That’s because human risk is as much about blast radius as it is behavior. 

Security teams need to go beyond behavior and combine it with other rich contextual signals. That’s the only way to reveal the true human attack surface and provide security teams with the signals that help them accurately model and reduce risk.

Why behavior-based employee risk scores can be deceptive

Behavior-based risk scores are the leading indicator used to assess human risk, but fixing messy habits doesn’t close the loop on human risk. Past behavior might reveal the probability of a successful exploit, but it ultimately does not convey the severity of the potential risk.

Think of the “serial clicker” vs. the model employee. If revealed behavior is the primary indicator you use to assign probability to human risk, the employee that clicks 50% of phishing links will be deemed high risk. Meanwhile the model employee that never falls for simulated phishing campaigns will be deemed low risk. 

But what if the serial clicker works on an auto-patched machine and has zero admin rights, while the model employee has an outdated OS with a critical vulnerability and uses SMS 2FA? In reality, the serial clicker may pose low actual risk while the model employee is a critical risk.

Scoring probability without factoring in severity is short-sighted in a world where all it takes is one lapse of judgment to let an attacker through the front door. If you only measure behavior, you’re betting the entire company on a human never making a mistake. That’s why a true human risk score needs to take additional context into account — it helps you extend and reinforce the safety net.

Overemphasis on behavior scores can create a toxic security culture

Behavior scores feel precise, but the truth is that they can be misleading. Behavior is not a personality trait. It drifts with role changes, workload spikes, and new tooling. Even a CISO might click a phishing link if they’re caught up in a stressful situation like a security audit and the email they receive is contextually relevant enough.

Behavior scores seldom capture that nuance. They tend to be based on factors like performance across a specified number of phishing simulations. They try to use history to determine probability, when the true employee risk calculation is much more complex. That’s why security teams need a better way to assess employee risk. 

Moving beyond behavior-focused cybersecurity training metrics is a critical shift in security philosophy, ensuring the emphasis remains on surfacing exposure, not assigning and attributing blame. That distinction matters, especially for creating a healthy security culture. Teams that frame scores as leading indicators of control failure instead of individual grades keep employees cooperative and inspire them to be active participants in protecting the organization.

Unearthing hidden human risk signals scattered across your tools

Security teams need a new way to assess employee risk. One that combines behavior with other contextual signals to surface the true extent of human risk. It should look at all the things people actually do inside systems – clicks on simulated phishing, unusual data pulls, excessive permissions, MFA lapses, device posture – and turn them into inputs that can be correlated against known incident paths and other relevant risk factors.

All of this information is readily available. The issue is that it’s often scattered across multiple tools, from endpoint security solutions to identity and access management (IAM) solutions. Security teams can monitor alerts from all these systems to keep tabs on human risk, but this is easier said than done. Security teams have tried to consolidate and surface this info with all sorts of custom dashboards, workflow orchestrations, and chatbots. But maintaining this cumbersome patchwork presents its own set of challenges.

Security teams need a live system of record, built on a contextual foundation of meaningful risk signals collected from purpose-built security solutions to get a complete, unbiased picture of human risk. They need a human risk graph. 

Find your true exposures with a human risk graph

Amplifier Security’s human risk graph is the industry’s first all-in-one picture of human risk, revealing the complete employee attack surface across identities, devices, vulnerabilities, and behaviors. It ingests data from best-of-breed security tools and feeds it into a unified risk model that provides real-time visibility into pertinent user threats.

The human risk graph plugs into your stack to accurately quantify human risk. Each component of your stack plays a critical role in answering the important questions for contextualizing user-related risk:

• Identity management (Okta/Entra): Are users using weak MFA? Do they have dormant admin privileges that are exploitable?
  
  

• Endpoint management (Jamf/Intune/Kandji): Is the OS patched? Is the browser outdated?
  
  

• Vulnerability management (Tenable/Rapid7): What is the exploitability of their environment? Does their laptop harbor a CVE that makes a simple click fatal?
  
  

• Endpoint security (Crowdstrike/SentinelOne/Microsoft Defender): What is happening in real time? Has their device triggered malware alerts recently?
  
  

• SIEM (Splunk/Sumologic): Is this user logging in from impossible locations? Is there a spike in data egress associated with their account?
  
  

• SAT (KnowBe4/Proofpoint): Did they fail the sim? Do they have security training videos they haven’t watched?

While visualizing the human risk graph provides a real-time view of employee risk, it isn’t just for looking at. This insight provides security teams with the tools they need to not only visualize attack paths and act on missing controls, it enables them to rearchitect the entire security experience.

When human risk evolves from being a judgment of a person’s actions to an evaluation of exposure, employees become more motivated to participate in security instead of trying to hide wrongdoing. The human risk graph democratizes security data, giving users visibility into their own hygiene, effectively gamifying security. With AI-driven automations and guided remediation workflows, security teams can motivate employees to improve their own security scores without ever opening a single ticket.  

Shifting employee risk scores from compliance theater to metrics that matter

Historically, security leaders have reported cybersecurity training metrics to show improvements to the board and demonstrate compliance. But when these metrics are based on activities that only address a small part of the total threat surface, security devolves into compliance theater.

The human risk graph gives security teams risk scores that reflect true attack surfaces and exposures. When they have accurate, real-time risk scores across people, teams, and the entire organization, they can finally begin to implement measures to drive tangible, measurable security improvements. 

The human risk graph helps you track critical metrics that help you show the fix, not just the clicks. This includes:

• Vulnerabilities: Reduce your risk to common vulnerabilities and exposures (CVEs) by surfacing outstanding vulnerabilities and mean-time-to-repair (MTTR), sort by severity and total, and track how many vulnerabilities were fixed by AI-guided, employee-led automations.

• Tooling coverage: Make sure your tools are properly configured by monitoring compliance by endpoint, analyzing tooling MTTR, and tracking how many tooling gaps were resolved by AI-guided, employee-led automations.

• Cybersecurity awareness training: Ensure your employees are completing security training by monitoring completed and overdue training numbers, watching training MTTR, and tracking how many training issues were resolved by AI-guided, employee-led automations.

• Security health and trends: Ensure your human risk posture is improving steadily with security health scores and trends, and filter the results by users, departments, and the overall organization to help guide your security team’s focus.

Amplifier Security customers are able to track all of these critical metrics and deliver meaningful improvements in a matter of months. They’ve been able to achieve 100% tool compliance, boost SAT compliance to 98.5%, and patch 100% of vulnerabilities with a 75% reduction by MTTR. All without intervention from security and IT teams, thanks to Amplifier’s AI Security Engineer and our AI-driven approach to user-led remediation.

A contextual approach to human risk is the confident approach to human risk

For the last decade, efforts to improve employee risk have revolved around fixing human behavior through education and exercises. While this approach works to some degree, it places too much emphasis on a specific part of the equation that’s ultimately very hard to control: the human brain.

It’s time to stop asking “is this user a risk?” and start asking “is this user protected?” A human risk graph correlates all of the context required to answer that question, from behavioral and training gaps to vulnerability exposure, enabling organizations to finally begin closing the gap on human risk.