If you ask a CISO how many critical vulnerabilities are open on their network, they can check a dashboard and tell you. If you ask them how many of their employees would approve a fraudulent MFA prompt today, they have to guess.

That is the blind spot in modern cybersecurity.

Every year, organisations invest heavily in managing cyber risk. They track vulnerabilities, monitor endpoints, assess suppliers, improve identity controls, and strengthen cloud security. They measure patching cycles, incident response times, and technical control coverage.

All of that matters. But one of the most important attack surfaces is still often under-measured: people.

According to Verizon's 2025 Data Breach Investigations Report, the human element was involved in around 60% of breaches. Yet in many organisations, the primary control for this layer is still an annual awareness course and a completion report.

That creates a serious blind spot.

What is human risk in cybersecurity?

Human risk in cybersecurity is the risk created by how people behave: how they respond to phishing, handle credentials, use multi-factor authentication, report incidents, and use tools such as AI. While organisations measure technical risk in detail, human risk is still often reduced to training completion rather than managed as a measurable risk category with evidence, reporting, and improvement over time.

IT risk is measured. Human risk often isn't.

Most mature organisations can tell you:

how many critical vulnerabilities are open
how many devices are encrypted
MFA adoption rates
patch compliance status
vendor risk ratings
mean time to detect incidents

But many cannot confidently answer:

How many employees would fall for a credential phishing attempt?
How many would approve an unexpected MFA prompt?
How many would fail to report a suspicious incident because they were unsure?
Where are employees overconfident in their security judgment?
Does management have visibility into workforce security readiness, or only training completion rates?

That difference matters.

Because if people are part of the threat surface, then people risk should be managed with the same discipline as technical risk.

Measured. Reported. Improved. Governed.

The confidence gap at the top

Recent research suggests the problem is not that leadership ignores cyber risk entirely. The deeper issue is that confidence and evidence are often misaligned.

A 2024 LastPass survey found that 92% of executives believed employees understood their organisation's security expectations.

EY's 2025 Global Cybersecurity Leadership Insights found a measurable disconnect between CISOs and the broader C-suite. CISOs were more likely than other executives to believe threats were more advanced than their organisation's defences, and more likely to believe senior leaders underestimated cybersecurity risk.

This is not unusual. Security leaders often see operational reality:

recurring phishing attempts
alert fatigue
delayed remediation
weak reporting culture
control workarounds
inconsistent behaviour under pressure

Executives often see dashboards, budgets, roadmaps, and high-level summaries.

Both views are real, but they are not the same view.

Why awareness completion is no longer enough

Traditional security awareness programmes usually answer one question:

Did employees complete the training?

That may help with basic compliance evidence, but it does not answer more important questions:

Did they understand the material?
Can they apply it in realistic scenarios?
Where are the weakest behaviours?
Which risks are improving?
Which risks are getting worse?
Where is confidence higher than competence?

Completion is an activity metric.

Readiness is an effectiveness metric.

Those should not be confused.

Human risk should be measurable

A modern human risk programme should be able to produce evidence such as:

phishing identification performance trends
incident reporting readiness
credential compromise susceptibility indicators
leadership oversight literacy
confidence versus actual performance gaps

This is where many organisations currently have a gap: they run awareness activity, but do not generate decision-grade management information from it.

Governance matters too

This challenge does not stop at the workforce.

Regulators increasingly expect management bodies to understand and oversee cyber risk. NIS2 Article 20 explicitly requires management bodies to approve cybersecurity risk-management measures, oversee implementation, and undergo cybersecurity training. We have covered that shift in detail in our NIS2 Article 20 breakdown.

That is an important shift. Cybersecurity awareness is no longer only an employee issue. It is also a governance issue. Boards and leadership teams need enough understanding to ask the right questions, interpret the right signals, and avoid relying on vanity metrics.

The next maturity step

The next step for many organisations is not simply more training.

It is better measurement.

Instead of asking Who completed training?, start asking:

Who is actually ready?
Where is our highest human risk today?
What behaviour needs reinforcement next quarter?
Can we demonstrate improvement over time?
Can leadership see meaningful signals, not just completion percentages?

That is how awareness evolves into risk management.

Why we built SafeHabits

SafeHabits was built around a simple idea: if human behaviour contributes materially to cyber risk, then human risk should be visible, measurable, and actionable.

That means moving beyond checkbox training toward:

habit-based security learning
realistic scenario measurement
management-ready reporting
governance training
structured evidence aligned to frameworks such as NIS2, ISO 27001, SOC 2, and NIST
continuous improvement over time

Because organisations already manage IT risk seriously.

Human risk deserves the same standard.

Final thought

Cybersecurity already knows people matter. The blind spot is that many organisations still struggle to measure people risk with the same rigor they apply elsewhere. That gap is becoming harder to justify, especially when the human element remains involved in around 60% of breaches.