Risk Categorization
To understand human risk at an enterprise scale, we must first map its full breadth—that's where categories come in. Each of the categories below represents a distinct facet of how people interact with systems, data, and one another—helping us conceptually organize the many ways human behavior can impact risk.
Within each category are unique risk indicators: specific, observable actions or events that signal a human's contribution—positive or negative—to cybersecurity risk. It's these indicators that enable organizations to identify, measure, and manage the full spectrum of human‑driven risk. Categories provide the structure; indicators provide the evidence.
Communication Security
C.01
How individuals use email, chat, messaging, and collaboration platforms to exchange information.
Engagement & Awareness
C.02
How individuals participate in and retain knowledge from security education and engagement activities.
Data Protection
C.03
How individuals handle, share, store, or exfiltrate sensitive or regulated information.
Identity & Access Risk
C.04
How user identities, authentication methods, and permissions are used to access systems and data.
Web & Cloud Usage
C.05
How individuals access internet resources and cloud-based services.
Endpoint & Device Security
C.06
The condition, posture, and configuration of user devices, including desktops, laptops, and peripherals.
Physical Security
C.07
How individuals interact with physical spaces and assets to protect sensitive environments.
Social Engineering Risks
C.08
How attackers exploit human psychology through tactics such as fear, trust, urgency, or overconfidence.
Incident Response Readiness
C.09
How effectively individuals report, escalate, and participate in incident response processes.
Remote Work Risk
C.10
How individuals manage security while working outside traditional office environments.
Digital Exposure Risk
C.11
How much sensitive personal or professional information about individuals is publicly available online.
Mobile Security
C.12
How individuals use and secure smartphones and tablets for work purposes.
Third-Party Risk
C.13
How external vendors, suppliers, contractors, or partners introduce risk into the enterprise.
Policy & Regulatory Compliance
C.14
How the organization adheres to cybersecurity rules, standards, and legal obligations.
Human Use of AI
C.15
How individuals interact with and apply AI systems within the workplace.
Agentic AI
C.16
How organizations deploy and oversee autonomous AI agents in enterprise environments.