# HumanRiskManagement.com llms.txt ## Human Risk Management Framework ### Transform Human + AI Risk into Measurable Defense Cybersecurity starts with people—and now includes the autonomous AI "co-workers" acting alongside them. The Human Risk Management Framework gives you a practical, evidence-based way to identify, quantify, and reduce cyber risk across both your human workforce and AI agents, before incidents happen. Discover how to proactively manage cyber threats with a people-and-AI-first security framework. [Explore Framework](https://www.humanriskmanagement.com/framework) [Join Community](https://www.humanriskmanagement.com/community) ## Cybersecurity Still Has a Blind Spot: People + AI Agents - Despite the fact that 3 out of every 4 security breaches involves human actions, most frameworks focus only on devices and threats—not the workforce itself. - Even people-focused security programs tend to fixate on phish clicks or training completions—missing the full picture of human risk. - A true lens into risk must account for both people and their AI co-workers, ensuring that organizations can govern the blended workforce shaping today’s cybersecurity landscape. [Find out why](https://www.humanriskmanagement.com/blog) ## Get Started with Human Risk Management [Framework\\ \\ **A framework that gets above the noise and surfaces actionable indicators of risk.**\\ \\ To mitigate human risk, you need to map out and see the entire surface of human risk exposure. This comprehensive, vendor-agnostic framework maps out that surface into16 categories, with over 500 observable, measurable, and actionable indicators or risk.\\ \\ Explore the framework](https://www.humanriskmanagement.com/framework) [Methodology\\ \\ **Research that looks across the data in typical environments to identify risk that matters.**\\ \\ Modern enterprises rely on a wide array of technologies across security, IT, and even HR. Each holds a piece of the human risk puzzle, but none of them alone has the full picture. Our approach looks across a broad set of data to surface risk that matters.\\ \\ See the research process](https://www.humanriskmanagement.com/methodology) ## Learn from the Field, Grow with the Community Case studies and peer collaboration to help you evolve your human risk strategy. [Blog & Case Studies\\ \\ Explore real incidents, lessons learned, and success stories that show human-centric risk insights in action.\\ \\ Read more](https://www.humanriskmanagement.com/blog) [HRM Community\\ \\ Join a growing network of security leaders, analysts, and practitioners sharing strategies for human-centric cyber defense.\\ \\ Join now](https://www.humanriskmanagement.com/community) [Discover Your HRM Maturity\\ \\ The Human Risk Management (HRM) Maturity Model provides a clear roadmap to evaluate your current capabilities, benchmark against industry best practices, and chart a path toward stronger, measurable human-centric defense.\\ \\ Access now](https://www.humanriskmanagement.com/hrm-maturity-model) ## Communication Security Risks # Communication Security C.01 How individuals use email, chat, messaging, and collaboration platforms to exchange information. ## Indicators Search Opens real phishing emails An observed identity opens real phishing emails delivered to the inbox, increasing exposure to credential-harvesting pages, drive‑by downloads, or embedded malware that evade upstream controls. Risky I.0001 Receives real phishing emails An observed identity receives real phishing emails that bypass filtering, indicating potential gaps in mail security and targeted exposure that warrant rapid triage and user‑focused follow‑up. Risky I.0002 Receives real phishing emails with malware An observed identity receives real phishing emails carrying malicious payloads or weaponized attachments, creating immediate endpoint compromise risk and signaling a need for expedited containment. Risky I.0003 Target of real phishing emails An observed identity is specifically targeted in real phishing campaigns, suggesting perceived value or vulnerability and informing prioritization for protections and coaching. Risky I.0004 Clicks links in real phishing emails An observed identity clicks links in real phishing emails, elevating the likelihood of credential theft, session token capture, or browser‑based exploitation on hostile pages. Risky I.0005 Enables phishing reporter buttons An observed identity enables the enterprise reporting add‑in/button in their mail client, signaling readiness to escalate suspicious messages through approved detection workflows. Vigilant I.0006 Reports suspected phishing or other suspicious emails to security for analysis An observed identity reports emails they suspect are phishing or otherwise suspcious to security responders, preserving headers, attachments, and links needed for rapid investigation, contributing early signals that improve detection speed even if messages later prove benign. Vigilant I.0007 Reports suspected phishing emails that are tagged as suspicious An observed identity reports emails that downstream analysis or tooling also tags as suspicious, strengthening first‑line detection and aiding rapid incident triage. Vigilant I.0008 Reports real phishing emails An observed identity correctly reports verified phishing emails, materially improving mean‑time‑to‑detect and enabling protective actions (quarantine, blocklists, takedown). Vigilant I.0009 Reports real phishing emails resulting in quarantine An observed identity is first to report verified phishing emails at a time that enables automated quarantine or recall of matched emails across recipients, reducing blast radius. Vigilant I.0010 Reports legitimate emails as phishing emails An observed identity reports legitimate emails as phishing, generating false positives that can create alert fatigue and training opportunities to refine recognition skills. Vigilant I.0011 Reports suspicious SMS messages An observed identity reports suspicious SMS (“smishing”) messages to security, enabling cross‑channel detection and user protection beyond email. Vigilant I.0012 Replies to emails from unknown or spoofed senders An observed identity replies to messages from unknown or spoofed senders, increasing risk of data disclosure, business email compromise (BEC), and follow‑on social engineering. Risky I.0013 Forwards email messages to an unauthorized mailbox An observed identity forwards email content to personal or otherwise unauthorized mailboxes, circumventing governance and increasing data exfiltration and privacy risk. Risky I.0014 Opens attachments from quarantined email messages An observed identity retrieves and opens attachments from emails that were quarantined or flagged, bypassing warnings and increasing the chance of executing malicious content. Risky I.0015 Opens attachments from email messages with unknown senders An observed identity opens attachments from emails sent by unknown or unverified parties, exposing endpoints and data to malware or coercive lures. Risky I.0016 Deletes phishing emails without opening An observed identity deletes suspected phishing emails without opening, reducing exposure windows and demonstrating protective discretion aligned to policy. Vigilant I.0017 Marks legitimate security alerts as junk messages An observed identity marks legitimate security or IT notifications as junk, suppressing critical communications and potentially delaying required user actions or incident response. I.0018 Replies to flagged phishing emails after warning An observed identity replies to emails already labeled or bannered as phishing, disregarding security cues and increasing the chance of engagement with adversaries. Risky I.0019 Downloads attachments from emails with mismatched display name and sender An observed identity downloads attachments from messages where the display name and actual sender differ, a classic phishing trait that elevates compromise likelihood. Risky I.0020 Configures a mailbox rule that bypasses security controls An observed identity creates mailbox rules that auto‑move, forward, or hide messages to bypass banners, filters, or DLP enforcement, undermining detection and auditability. Risky I.0021 Sends email messages to risky distribution lists An observed identity sends messages to outdated or risky distribution lists—often including unintended externals—creating accidental data exposure and propagation risk. Risky I.0022 Sends files to personal accounts An observed identity sends files from corporate mail to personal accounts, shifting sensitive data outside managed boundaries and complicating governance and eDiscovery. Risky I.0023 Sends credentials through chat messages An observed identity transmits passwords, one‑time codes, or other credentials in chat, enabling interception, reuse, or replay beyond approved secret‑handling channels. Risky I.0024 Shares meeting links on public websites An observed identity posts meeting links on public websites or forums, enabling unsolicited access, meeting bombing, or covert social engineering against participants. Risky I.0025 Accepts file transfers from unknown external contacts An observed identity accepts file transfers or share invites from unknown external contacts, raising risk of malware delivery or data harvesting schemes. Risky I.0026 Removes sensitivity labels from email messages An observed identity removes classification/sensitivity labels or banners prior to sending, weakening DLP and record‑keeping controls and increasing leakage risk. Risky I.0027 Attempts to bypass attachment blocking by renaming files An observed identity attempts to evade attachment blocking by renaming or re‑packaging files, indicating intentional control circumvention and elevated insider‑risk posture. Risky I.0028 Adds potentially risky domains to “safe senders” list An observed identity adds unvetted or risky domains to safe‑sender lists, suppressing warnings and allowing future malicious content to reach the inbox unchallenged. Risky I.0029 Replies all with external recipients An observed identity uses “reply all” on threads that include external recipients, potentially disclosing internal content, links, or PII to unintended parties. Risky I.0030 Deletes security banner before sending messages An observed identity removes or edits security banners or headers prior to sending, erasing context meant to inform recipients and auditors about sensitivity or risk. Risky I.0031 Shares sensitive content via email messages An observed identity transmits sensitive or regulated content via email without appropriate protections (encryption, permitted recipients, least privilege), increasing exposure. Risky I.0032 Shares sensitive data to public folders An observed identity places sensitive data into public or broadly accessible mail‑linked folders, enabling uncontrolled discovery, indexing, or onward sharing. Risky I.0033 Shares sensitive content via chat An observed identity shares sensitive information through chat channels lacking the required controls for classification, retention, or eDiscovery. Risky I.0034 Uses personal email for work correspondence An observed identity conducts work correspondence via personal email, bypassing enterprise retention, DLP, legal hold, and access monitoring. Risky I.0035 Reveals project codes names or internal initiatives in public channels An observed identity references project code names or internal initiatives in public channels, aiding adversary reconnaissance and targeted social engineering. Risky I.0036 Interacts with calendar invites that may pose security risk An observed identity accepts or interacts with calendar invitations from untrusted sources, potentially enabling malicious links, conferencing fraud, or data harvesting. Risky I.0037 Screenshares confidential content in virtual meetings with external participants An observed identity shares screens that expose confidential content to external participants during virtual meetings, creating immediate data leakage risk. Risky I.0038 Clicks links in SMS messages from unknown senders or as part of SMS phishing simulation An observed identity clicks links in SMS from unknown senders ("smishing"), risking credential capture, device exploitation, or session hijacking on mobile, demonstrating susceptibility to phishing attacks. Risky I.0039 Enables macros in untrusted documents An observed identity enables macros within untrusted documents, allowing embedded code execution and increasing endpoint compromise probability. Risky I.0040 Accesses shortened URLs from unknown sources An observed identity accesses shortened URLs from unverified sources, obscuring destination risk signals and increasing exposure to phishing or malware. Risky I.0041 Attempts to download content from email messages with blocked external images An observed identity attempts to download external content from emails where images are blocked, signaling willingness to bypass safe‑rendering defaults and beaconing risks. Risky I.0042 Accepts redirected links from unknown domains An observed identity follows redirects to destinations on unknown or low‑reputation domains, elevating exposure to exploit kits and phishing infrastructure. Risky I.0043 Accepts shared file invites from spoofed domains An observed identity accepts shared‑file invitations that spoof trusted brands or domains, enabling malware delivery or credential harvesting via faux collaboration flows. Risky I.0044 Clicks unsubscribe links in unsolicited newsletters An observed identity clicks “unsubscribe” links in unsolicited newsletters, potentially confirming a live mailbox to spammers or redirecting to malicious infrastructure. Risky I.0045 Opens encrypted messages from unverified senders An observed identity opens encrypted messages from unverified senders, engaging with content that may bypass standard inspection and introduce social‑engineering risk. Risky I.0046 Accepts voice call MFA code requests over SMS An observed identity complies with SMS requests to complete or approve voice‑call MFA code challenges from unverified sources, increasing susceptibility to MFA relay or fatigue attacks. Risky I.0047 Shares OTP or MFA codes via email or chat messages An observed identity shares one‑time passwords or MFA codes via email or chat, enabling immediate account takeover by adversaries monitoring those channels. Risky I.0048 Approves suspicious or fraudulent MFA requests An observed identity approves suspicious push or MFA prompts not initiated by themselves during real or simulated circumstances, indicating MFA fatigue or susceptibility to prompt‑bombing and other attacks and risking account compromise. Risky I.0049 Disables or tampers with emails security controls An observed identity disables or tampers with email security controls (e.g., reporting add‑ins, link/attachment rewriting, warning banners), degrading protection, visibility, and audit. Risky I.0050 ### Relevance Communication channels are primary targets for phishing, impersonation, and content-based attacks. Monitoring user behavior here reveals susceptibility patterns and helps prioritize interventions. It also provides visibility into whether secure communication practices are being followed consistently. ### Why this matters This category matters because human error in communications is often the first step in a breach. Security teams must understand how employees interact across channels to identify risks before they are exploited. By emphasizing secure communication practices, organizations reduce the likelihood of compromise through phishing, spoofing, or data leakage. ### Consequences of neglect If left unaddressed, poor communication hygiene can enable attackers to bypass technical controls. This leads to increased exposure to credential theft, financial fraud, reputational damage, and large-scale breaches caused by a single exploited communication channel. Communication Security - Risk Category \| Human Risk Management Framework ## Security Education Engagement # Engagement & Awareness C.02 How individuals participate in and retain knowledge from security education and engagement activities. ## Indicators Search Opens simulated phishing emails one or more times An observed identity opens simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0051 Clicks links in simulated phishing emails An observed identity clicks links in simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0052 Enters credentials on websites linked from simulated phishing emails An observed identity enters credentials on websites linked from simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0053 Opens file attachments to simulated phishing emails An observed identity opens file attachments to simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0054 Fails to report simulated phishing emails after opening An observed identity fails to report simulated phishing emails after opening during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0055 Deletes simulated phishing emails without reporting An observed identity deletes simulated phishing emails without reporting during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0056 Responds to simulated phishing emails An observed identity responds to simulated phishing emails during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0057 Reports simulated phishing emails An observed identity reports simulated phishing emails during awareness exercises, demonstrating resilience to phishing attacks. Vigilant I.0058 Forwards simulated phishing emails to security team An observed identity forwards simulated phishing emails to security team during awareness exercises, demonstrating resilience to phishing attacks. Vigilant I.0059 Provides helpful feedback on simulated phishing emails An observed identity provides helpful feedback on simulated phishing emails during awareness exercises, demonstrating resilience to phishing attacks. Vigilant I.0060 Opens simulated SMS phishing messages An observed identity opens simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0061 Responds to simulated SMS phishing messages An observed identity responds to simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0062 Fails to report simulated SMS phishing messages An observed identity fails to report simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating susceptibility to phishing attacks. Risky I.0063 Reports simulated SMS phishing messages An observed identity reports simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating resilience to phishing attacks. Vigilant I.0064 Ignores or deletes simulated SMS phishing messages An observed identity ignores or deletes simulated SMS phishing ("smishing") messages during awareness exercises, demonstrating resilience to phishing attacks. Vigilant I.0065 Does not respond to simulated fraudulent MFA prompts An observed identity fails to respond to simulated fraudulent MFA prompts during awareness exercises, demonstrating susceptibility to attacks. Risky I.0066 Marks simulated fraudulent MFA prompts as mistaken An observed identity marks simulated fraudulent MFA prompts as mistaken during awareness exercises, demonstrating susceptibility to attacks. Risky I.0067 Denies simulated fraudulent MFA prompts and reports them An observed identity denies simulated fraudulent MFA prompts and reports them during awareness exercises, demonstrating resilience to attacks. Vigilant I.0068 Responds promptly with correct action An observed identity responds promptly with the correct action during awareness exercises, demonstrating security resilience and compliance. Vigilant I.0069 Does not respond to emergency notification test An observed identity fails to respond to emergency notification test during awareness exercises, demonstrating non-compliance with security best practices. Risky I.0070 Responds to emergency notification test An observed identity responds to emergency notification test during awareness exercises, demonstrating compliance with security best practices. Vigilant I.0071 Verifies receipt of emergency communications through proper channels An observed identity verifies receipt of emergency communications through proper channels during awareness exercises, demonstrating compliance with security best practices. Vigilant I.0072 Completes in-person trainings An observed identity completes in-person trainings, demonstrating compliance with security best practices. Vigilant I.0073 Has overdue trainings An observed identity has overdue trainings, demonstrating non-compliance with security best practices. Risky I.0074 Fails to attempt assigned trainings An observed identity fails to attempt assigned trainings, demonstrating non-compliance with security best practices. Risky I.0075 Fails assigned trainings An observed identity fails assigned trainings, demonstrating non-compliance with security best practices. Risky I.0076 Completes assigned trainings late An observed identity completes assigned trainings late, demonstrating non-compliance with security best practices. Risky I.0077 Avoids training An observed identity skips assigned trainings, demonstrating non-compliance with security best practices. Risky I.0078 Completes assigned trainings An observed identity completes assigned trainings, demonstrating compliance with security best practices. Vigilant I.0079 Completes assigned trainings on time An observed identity completes assigned trainings on time, demonstrating compliance with security best practices. Vigilant I.0080 Passes assigned trainings An observed identity passes assigned trainings, demonstrating compliance with security best practices. Vigilant I.0081 Attempts assigned trainings An observed identity attempts assigned trainings, demonstrating compliance with security best practices. Vigilant I.0082 Re-attempts failed trainings An observed identity re-attempts failed trainings, demonstrating compliance with security best practices. Vigilant I.0083 Engages with optional trainings An observed identity engages with optional trainings, demonstrating compliance with security best practices. Vigilant I.0084 Skips interactive training modules An observed identity skips interactive training modules, demonstrating non-compliance with security best practices. Risky I.0085 Completes collaborative trainings An observed identity completes collaborative trainings, demonstrating compliance with security best practices. Vigilant I.0086 Completes collaborative trainings on time An observed identity completes collaborative trainings on time, demonstrating compliance with security best practices. Vigilant I.0087 Fails to complete collaborative trainings An observed identity fails to complete collaborative trainings, demonstrating non-compliance with security best practices. Risky I.0088 Skips assigned trainings An observed identity skips assigned trainings, demonstrating non-compliance with security best practices. Risky I.0089 Reports high confidence in security self assessments An observed identity reports high confidence in security self assessments. Vigilant I.0090 Reports low confidence in security self assessments An observed identity reports low confidence in security self assessments. Risky I.0091 Reports high confidence in phishing-related self assessments An observed identity reports high confidence in phishing-related self assessments. Vigilant I.0092 Reports low confidence in phishing-related self assessments An observed identity reports low confidence in phishing-related self assessments. Risky I.0093 Reports high confidence in organizational security readiness An observed identity reports high confidence in organizational security readiness. Vigilant I.0094 Reports low confidence in organizational security readiness An observed identity reports low confidence in organizational security readiness. Risky I.0095 Completes training consistently over multiple assigned trainings An observed identity completes training consistently over multiple assigned trainings, demonstrating compliance with security best practices. Vigilant I.0096 Fails phishing simulations less frequently over time An observed identity fails phishing-related simulations less frequently over time, demonstrating increasing resilience. Vigilant I.0097 Reports increased confidence in security self assessments An observed identity reports increased confidence in security self assessments. Vigilant I.0098 Fails security simulations less frequently over time An observed identity fails security simulations less frequently over time, demonstrating increasing resilience. Vigilant I.0099 ### Relevance This category highlights the effectiveness of awareness programs and helps pinpoint where knowledge gaps remain. It measures user engagement levels and reveals whether training translates into applied vigilance. ### Why this matters Practitioners must care about engagement because awareness programs are only effective if employees internalize and act on them. Measuring participation and retention ensures security education is not just a checkbox exercise but a behavior-shaping initiative. ### Consequences of neglect Failure to address engagement gaps means employees may remain unaware of evolving threats, making the enterprise more susceptible to phishing, social engineering, and compliance failures. Engagement & Awareness - Risk Category \| Human Risk Management Framework ## Data Protection Framework # Data Protection C.03 How individuals handle, share, store, or exfiltrate sensitive or regulated information. ## Indicators Search Uses personal tools to access enterprise documents An observed identity sends or opens work-related files using personal email or cloud storage accounts. This bypasses enterprise data governance and may violate compliance policies. Risky I.0100 Syncs enterprise data to personal cloud storage An observed identity links enterprise data to personal file sync or backup services, creating unmanaged data replicas outside corporate control and increasing risk of data leakage and loss of governance Risky I.0101 Installs personal cloud backup tools on enterprise devices An observed identity installs consumer-grade backup software on corporate endpoints, duplicating sensitive files to unapproved destinations. Risky I.0102 Copies enterprise data into personal AI chat tools An observed identity interacts with AI assistants using company-sensitive input, potentially disclosing proprietary or regulated data to services outside organizational control. Risky I.0103 Signs into enterprise apps from unmanaged devices An observed identity accesses enterprise cloud applications from personal or non-compliant devices without endpoint protections. This increases the chance of malware infection or credential theft. Risky I.0104 Logs into enterprise services using personal accounts An observed identity accesses enterprise systems with personal credentials instead of corporate identities, weakening access controls and audit trails. Risky I.0105 Shows simultaneous logins from geographically distant IPs An observed identity account is accessed from multiple distant locations in a short timeframe, which may suggest credential compromise. Risky I.0106 Continues using expired credentials for cloud access An observed identity accesses cloud services using credentials that should have been rotated or deactivated, indicating poor credential hygiene. Risky I.0107 Avoids enterprise single sign-on An observed identity accesses enterprise applications directly using credentials, bypassing SSO and associated controls like MFA or logging. Risky I.0108 Shares cloud documents with public links An observed identity shares internal files or folders using unrestricted public links. This makes sensitive content accessible to anyone with the link, often unintentionally. Risky I.0109 Sets cloud file sharing to overly permissive levels An observed identity configures shared files or folders to allow broad or public access, whether intentionally or by default. This creates risk of unauthorized data access. Risky I.0110 Stores unencrypted credentials in shared cloud folders An observed identity places plaintext passwords or keys into cloud storage locations accessible by others, exposing the credentials to theft. Risky I.0111 Misconfigures cloud storage with public access An observed identity configures cloud storage containers to allow public access without authentication, whether intentionally or by mistake. Risky I.0112 Authorizes persistent access to third-party applications An observed identity grants long-term access to enterprise data via OAuth or API permissions to third-party apps or extensions. These tools may retain access even after user offboarding. Risky I.0113 Grants OAuth access to untrusted vendors An observed identity approves data access by unknown or suspicious third-party applications via OAuth integrations, potentially exposing enterprise content. Risky I.0114 Installs unvetted browser extensions An observed identity adds extensions from unofficial sources or developers to their browser. These tools may have access to sensitive web session data or cloud content. Risky I.0115 Downloads executable files from suspicious domains An observed identity downloads executable files from websites with poor or no reputation, increasing the likelihood of malware infection. Risky I.0116 Opens shortened URLs from unknown senders An observed identity clicks on shortened or obfuscated links received from untrusted sources. These links often lead to phishing or malware-hosting sites. Risky I.0117 Ignores browser warnings about insecure websites An observed identity bypasses warnings related to expired or untrusted SSL certificates, suggesting a pattern of risky web behavior. Risky I.0118 Uses non-encrypted HTTP for sensitive web access An observed identity accesses login pages or apps without HTTPS, exposing authentication or session data to interception. Risky I.0119 Uses unsupported browsers for sensitive enterprise tasks An observed identity accesses key systems using outdated or unsupported web browsers, which may lack modern security controls or policy enforcement capabilities. Risky I.0120 Uses outdated browsers to access enterprise web apps An observed identity operates browsers that lack the latest security patches or standards, increasing exposure to known vulnerabilities. Risky I.0121 Accesses self-hosted tools with expired SSL certificates An observed identity interacts with web applications secured by outdated or invalid SSL/TLS certificates. This behavior reduces secure communication guarantees. Risky I.0122 Accesses enterprise web apps from high-risk geolocations An observed identity logs into cloud applications from countries or regions known for high cyber risk. This may indicate account compromise or attempts to bypass geo-based controls. Risky I.0123 Uses anonymity tools to bypass security controls An observed identity uses consumer VPNs, proxies, or anonymizers to hide their location or bypass organizational access restrictions. Risky I.0124 Attempts unauthorized privilege escalation in cloud apps An observed identity initiates actions to increase their privileges or admin rights within cloud services, possibly indicating malicious intent or misunderstanding of policy. Risky I.0125 Uploads sensitive files to unauthorized web apps An observed identity transfers corporate data into non-approved cloud applications or personal services, bypassing sanctioned tools. This can lead to data loss or leakage through shadow IT. Risky I.0126 Uses root credentials for cloud administrative access An observed identity logs in to cloud platforms using root or master accounts instead of delegated roles. This bypasses auditing and increases the impact of mistakes or compromise. Risky I.0127 Uploads code to unsanctioned repositories An observed identity posts scripts or source code to public code-hosting services not approved by the organization, potentially leaking intellectual property. Risky I.0128 Accesses SaaS apps only from managed devices An observed identity consistently accesses cloud services from devices enrolled in enterprise controls. Vigilant I.0129 Reports phishing emails without clicking An observed identity flags suspected phishing messages promptly without interacting with malicious links. Vigilant I.0130 Stores sensitive documents only in approved cloud platforms An observed identity reliably saves sensitive files in sanctioned storage systems with appropriate access controls. Vigilant I.0131 Shares documents using view-only permissions by default An observed identity configures links with least-privilege settings when sharing documents. Vigilant I.0132 Uses browser extensions only from approved list An observed identity refrains from installing unvetted or risky browser plugins. Vigilant I.0133 Regularly uses browser password manager with MFA An observed identity stores credentials securely and always uses MFA where supported. Vigilant I.0134 Logs out of sensitive applications after use An observed identity actively terminates web sessions instead of relying on idle timeouts. Vigilant I.0135 Hovers over links before clicking An observed identity habitually inspects links before engaging, reducing the likelihood of phishing success. Vigilant I.0136 Avoids repeated access attempts to restricted cloud content An observed identity doesn’t trigger frequent access-denied events, suggesting strong awareness of access boundaries. Vigilant I.0137 ### Relevance Data protection behavior reflects how well employees safeguard the organization’s most critical asset: its information. It shows whether sensitive data is being managed in alignment with policies and regulatory requirements. ### Why this matters This category matters because breaches often stem from mishandled data, whether accidental or intentional. By monitoring these behaviors, security teams can enforce controls that prevent leaks, misuse, or unauthorized access. ### Consequences of neglect Without proper oversight, organizations risk data exposure, compliance fines, legal penalties, and reputational harm. Mishandled information can also erode customer trust and invite regulatory scrutiny. Data Protection - Risk Category \| Human Risk Management Framework ## Identity Access Risks # Identity & Access Risk C.04 How user identities, authentication methods, and permissions are used to access systems and data. ## Indicators Search Misuses elevated privileges to access sensitive resources An observed identity demonstrates misuse of privileged accounts or admin rights, often bypassing normal approval channels. Such activity creates opportunities for unauthorized system changes, exposure of sensitive information, or establishment of covert control within high-value systems. Risky I.0138 Abuses access privileges in ways that do not comply with policy An observed identity initiates privileged actions that fall outside approved workflows or organizational policy. These deviations weaken governance, obscure accountability, and may signal intentional circumvention of controls to perform prohibited tasks. Risky I.0139 Steals or harvests credentials using unauthorized tools An observed identity employs malware, dumping utilities, or other unauthorized methods to capture authentication secrets. These techniques are commonly associated with endpoint compromise and often enable large-scale lateral movement or credential replay attacks. Risky I.0140 Accesses protected resources from unusual locations An observed identity attempts logins or resource access from geographic regions not aligned with their normal activity patterns. Such anomalies are strong indicators of credential theft, account takeover, or remote access through adversary infrastructure. Risky I.0141 Uses injected credentials to access protected resources An observed identity relies on credential injection techniques that bypass normal login processes. This behavior suggests advanced exploitation methods designed to evade detection and establish stealthy persistence inside enterprise environments. Risky I.0142 Subverts access controls or disables auditing mechanisms An observed identity tampers with security enforcement or monitoring features, such as conditional access policies or audit logs. By weakening these safeguards, the identity reduces defender visibility and increases the likelihood that malicious operations remain undetected. Risky I.0143 Manipulates identity federation settings to bypass controls An observed identity alters trust relationships between identity providers or modifies federation bindings. Such manipulation undermines cross-domain authentication integrity and can open avenues for unauthorized access via unapproved or compromised directories. Risky I.0144 Configures persistence mechanisms to maintain unauthorized access An observed identity establishes techniques—such as scheduled tasks, services, or endpoint configuration changes—that ensure continued access over time. These methods often indicate attempts to maintain a long-term foothold within critical systems. Risky I.0145 Uses cached or stolen credentials to gain unauthorized access An observed identity leverages authentication artifacts sourced from memory, endpoints, or theft to impersonate valid users. These activities bypass normal login scrutiny and expose the enterprise to prolonged account misuse and data exfiltration. Risky I.0146 Relies on insecure or temporary credentials to maintain access An observed identity depends on weak, short-lived, or otherwise insecure credentials to continue accessing systems. This practice undermines authentication integrity and elevates the risk of replay attacks or unauthorized reuse by external adversaries. Risky I.0147 Communicates with known threat actors An observed identity establishes contact with infrastructure or accounts linked to known malicious groups. Such communications often represent command-and-control activity, collusion, or preparation for exfiltration of sensitive data. Risky I.0148 Engages in activity inconsistent with approved roles An observed identity performs actions beyond their defined responsibilities or outside expected behavioral baselines. These deviations may signal account compromise, insider threat, or unauthorized escalation of privileges. Risky I.0149 Modifies or deletes identity policies to gain unauthorized access An observed identity alters policies governing accounts, privileges, or access boundaries. These changes dismantle key protections, expand entitlements, and create opportunities for long-term abuse of sensitive systems. Risky I.0150 Accesses secrets or vaults in unauthorized or unusual ways An observed identity interacts with repositories of sensitive credentials or keys in unexpected patterns. Such activity may indicate an insider seeking privileged material or an external attacker exploiting compromised accounts to harvest secrets. Risky I.0151 Disables monitoring or logging to conceal unauthorized activity An observed identity interferes with security telemetry by suppressing logs, disabling monitoring agents, or otherwise obscuring activity. This concealment reduces incident visibility, enabling adversaries to operate covertly within enterprise systems. Risky I.0152 Uses weak or bypassed authentication methods to gain access An observed identity exploits fallback methods, reuses passwords, or bypasses MFA requirements to authenticate. These weaknesses degrade assurance of identity validation and increase susceptibility to credential-based attacks. Risky I.0153 Accesses protected resources at unusual volumes or frequency An observed identity generates abnormally high or repetitive access requests against sensitive systems. Such patterns are consistent with automated data harvesting, brute-force reconnaissance, or malicious scripting. Risky I.0154 ### Relevance Identity and access patterns reveal whether security fundamentals like MFA, password hygiene, and least-privilege access are consistently applied. They are often the difference between contained risk and widespread compromise. ### Why this matters This matters because identity is the new perimeter. A single compromised account can grant attackers broad access if controls are weak. Proactive monitoring ensures stronger defenses against credential theft and privilege abuse. ### Consequences of neglect Unmanaged identity risks lead to unauthorized access, privilege escalation, and potential insider threats, putting critical systems and data at risk of breach or manipulation. Identity & Access Risk - Risk Category \| Human Risk Management Framework ## Web & Cloud Usage # Web & Cloud Usage C.05 How individuals access internet resources and cloud-based services. ## Indicators Search Processes source code with unapproved AI services An observed identity sends company source code to external AI services not sanctioned by policy. This exposes intellectual property to third parties, increases the risk of unintended data leakage, and bypasses approved code security processes. Risky I.0155 Accesses unapproved cloud storage services An observed identity connects to unapproved cloud storage platforms. This creates unmanaged data repositories outside enterprise visibility, increasing the likelihood of data sprawl and unmonitored leakage of sensitive files. Risky I.0156 Uploads sensitive data to personal cloud storage An observed identity uploads confidential or proprietary data to personal cloud accounts. Such behavior circumvents enterprise data controls and creates a high risk of data exfiltration, loss of ownership, and regulatory compliance issues. Risky I.0157 Visits newly registered or suspicious domains An observed identity browses to domains with little reputation history or flagged as suspicious by threat intelligence. This increases the chance of exposure to phishing, malware, or adversary-controlled infrastructure. Risky I.0158 Installs vulnerable browser extensions An observed identity installs browser extensions with known security flaws. These plugins can act as attack vectors, enabling data theft, content injection, or interception of browsing activity. Risky I.0159 Circumvents corporate proxy or VPN An observed identity attempts to bypass enterprise network routing through proxies or VPNs. This reduces monitoring effectiveness, hides activity from defenders, and provides potential channels for unmonitored data transfer. Risky I.0160 Attempts to access blocked or blacklisted websites An observed identity attempts to access websites explicitly blocked by enterprise policy. Such attempts may indicate intentional circumvention of security rules or risky browsing habits that expose the organization to unsafe content. Risky I.0161 Visits confirmed malicious websites An observed identity visits websites confirmed to distribute malware or host phishing pages. These connections create immediate exposure to endpoint compromise and credential theft. Risky I.0162 Visits websites that trigger policy warnings An observed identity attempts to visit websites flagged by enterprise policy due to their risk category or inappropriate content. Such activity increases potential legal, reputational, or security risks. Risky I.0163 Visits websites categorized as AI tools An observed identity visits websites categorized as AI tools. While not inherently malicious, this may raise concerns about unmonitored use of AI platforms and possible exposure of sensitive data. I.0164 Spends excessive time on social media websites An observed identity accesses social media platforms with unusual frequency. Excessive use may indicate non-business activity, loss of productivity, or exposure to social engineering threats. I.0165 Visits websites in risky categories An observed identity visits websites categorized as risky by enterprise or industry intelligence. Accessing such sites elevates exposure to malicious content or non-compliant business activity. Risky I.0166 Attempts to visit restricted websites but is blocked An observed identity attempts to connect to restricted websites but is blocked by enterprise controls. Although blocked, such attempts may reflect risky intent or disregard for policy. Risky I.0167 Uses non-business SaaS platforms excessively An observed identity repeatedly uses SaaS platforms unrelated to business needs. This increases the surface area for data mismanagement and introduces risks of shadow IT. Risky I.0168 Transfers high volumes of files to cloud applications An observed identity uploads unusually high volumes of files to cloud applications. Such behavior may indicate intentional data exfiltration or automated bulk transfers outside business norms. Risky I.0169 Signs into corporate apps from unapproved devices or locations An observed identity signs into corporate applications from devices or locations that are not pre-approved. This activity increases the risk of unauthorized access, compromised endpoints, or geolocation-based attacks. Risky I.0170 Uses multiple cloud services with overlapping functionality An observed identity adopts multiple SaaS tools that provide overlapping functions. This behavior increases data fragmentation, weakens governance, and raises the risk of unmanaged data exposure. Risky I.0171 Bypasses SSO to access SaaS platforms directly An observed identity accesses SaaS platforms directly without using corporate SSO. This bypass reduces visibility into authentication events and undermines centralized identity controls. Risky I.0172 Accesses cloud applications exclusively via SSO An observed identity consistently accesses SaaS applications only through corporate SSO. This behavior reinforces centralized identity protections and reduces opportunities for credential misuse. Vigilant I.0173 Uses only approved SaaS platforms An observed identity limits SaaS usage exclusively to enterprise-approved platforms. This demonstrates compliance with policy and minimizes risks of shadow IT or unvetted applications. Vigilant I.0174 Reports suspicious browser activity An observed identity reports browser pop-ups, redirects, or other suspicious web activity to security teams. This vigilance supports faster detection and containment of potential threats. Vigilant I.0175 Reports unauthorized or unknown SaaS applications An observed identity flags unfamiliar SaaS applications in use within the environment. Such reporting helps security teams identify shadow IT and mitigate risks tied to unauthorized tools. Vigilant I.0176 Regularly accesses security awareness resources An observed identity frequently accesses internal resources designed for security awareness. This proactive behavior indicates strong engagement with security education and cultural reinforcement. Vigilant I.0177 Submits help desk tickets for blocked or restricted services An observed identity submits IT help desk tickets when encountering blocked or restricted services. Such actions demonstrate compliance with escalation processes rather than circumventing controls. Vigilant I.0178 Signs into SaaS applications with multi-factor authentication An observed identity signs into SaaS applications using multi-factor authentication. This provides an additional safeguard against credential theft and strengthens identity assurance. Vigilant I.0179 Downloads documents from unrecognized cloud platforms An observed identity downloads documents from cloud platforms not recognized or approved by IT. This introduces the risk of ingesting malicious content or bypassing enterprise data governance. Risky I.0180 Browses websites in approved safe categories An observed identity primarily browses websites in categories approved as safe for business, such as industry news or research. This indicates lower browsing risk and alignment with corporate policy. I.0181 Uses cloud collaboration tools only during business hours An observed identity limits usage of cloud collaboration tools to normal business hours. This reduces after-hours exposure and may indicate disciplined adherence to organizational policies. I.0182 ### Relevance This category reveals shadow IT usage, risky browsing, and unmanaged cloud interactions that bypass corporate oversight. It provides insight into where enterprise data may flow outside controlled environments. ### Why this matters Practitioners must pay attention because cloud and web use is integral to modern work. Risky practices can expose sensitive data to untrusted platforms, weaken compliance, and broaden the attack surface. ### Consequences of neglect Uncontrolled usage leads to unmonitored data transfers, malware exposure, and regulatory violations. Attackers exploit these blind spots to infiltrate systems or exfiltrate sensitive data. Web & Cloud Usage - Risk Category \| Human Risk Management Framework ## Endpoint Security Overview # Endpoint & Device Security C.06 The condition, posture, and configuration of user devices, including desktops, laptops, and peripherals. ## Indicators Search Runs unsupported operating system versions An observed identity operates on a platform that no longer receives vendor patches. Unsupported OS versions are high‑value targets for exploit kits and enable persistent attacker footholds. Risky I.0183 Disables endpoint security controls An observed identity turns off core protections like antivirus, EDR, or firewalls. With safeguards disabled, malicious code can execute or persist with limited chance of detection. Risky I.0184 Uses devices without full-disk encryption An observed identity uses a device where storage is left unencrypted. Loss or theft of the hardware would expose local data to unauthorized access. Risky I.0185 Delays software updates repeatedly An observed identity repeatedly postpones OS or application updates. Delayed patching keeps known vulnerabilities exploitable well beyond their disclosure. Risky I.0186 Uses devices with excessive admin privileges An observed identity works with local administrator rights as a norm. Elevated privileges amplify the blast radius of malware and increase risk of unintended system changes. Risky I.0187 Uses devices with unnecessary or risky software An observed identity installs applications linked to security weaknesses (e.g., P2P clients, outdated utilities). Such software expands attack surface and undermines enterprise hardening standards. Risky I.0188 Uses devices with malware detections An observed identity’s endpoint generates multiple malware hits over time. Recurring detections indicate unsafe habits, targeted campaigns, or ineffective remediation. Risky I.0189 Runs files from suspicious or unrecognized USB devices An observed identity launches executables directly from removable media with unclear origin. This behavior bypasses normal vetting and is a common malware entry path. Risky I.0190 Uses devices that communicate with command-and-control infrastructure An observed identity’s device exchanges traffic with infrastructure associated with threat actors. Command‑and‑control communication typically reflects active compromise and remote tasking. Risky I.0191 Downloads and executes malicious files An observed identity obtains and runs files verified as malicious by threat intelligence. Executing known bad artifacts presents immediate compromise risk and possible spread to peers. Risky I.0192 Uses devices exhibiting lateral movement behaviors An observed identity’s endpoint initiates unusual connections to internal systems. Such patterns are consistent with post‑exploitation movement to broaden access and locate valuable data. Risky I.0193 Uses devices missing critical patches An observed identity operates a device missing critical security patches past service windows. Unpatched systems are susceptible to commodity exploits and automated scanning attacks. Risky I.0194 Runs unsupported legacy applications An observed identity relies on enterprise applications that no longer receive fixes. Legacy software preserves known defects and creates long‑term maintenance liabilities. Risky I.0195 Delays reboots after patch installation An observed identity defers required restarts after applying updates. Until rebooted, protections remain inactive and exposure persists despite patch installation. Risky I.0196 Installs unapproved software An observed identity installs software that has not been sanctioned by IT. Unsanctioned tools evade governance, may contain unwanted components, and complicate incident response. Risky I.0197 Runs portable applications from external drives An observed identity executes portable binaries from external media to sidestep installation rules. This technique can evade monitoring and introduce unvetted code. Risky I.0198 Uses personal devices for enterprise work without enrollment An observed identity connects to corporate resources from personal hardware outside device management controls. Non‑enrolled devices lack assurance of patching, encryption, and endpoint protection. Risky I.0199 Connects to unknown USB peripherals An observed identity attaches unfamiliar USB storage or input devices. Unknown peripherals can deliver malware, implant firmware, or exfiltrate data. Risky I.0200 Uses devices that boot from removable media An observed identity initiates boot from external media. Doing so can defeat OS‑level controls and enable installation of unauthorized systems. Risky I.0201 Charges devices from untrusted USB sources An observed identity charges equipment via untrusted USB power sources such as kiosks. Such connections risk juice‑jacking and malicious firmware exposure. Risky I.0202 Stores sensitive data in unprotected local folders An observed identity keeps regulated or sensitive files on local storage without protection. Lack of encryption and access controls increases theft and insider misuse risk. Risky I.0203 Copies sensitive data to removable media An observed identity moves confidential content onto removable storage. External media create shadow data channels that are difficult to monitor or recall. Risky I.0204 Transfers sensitive content via clipboard An observed identity copies sensitive information between systems using the clipboard. Clipboard buffers can be harvested by other applications or synced to unintended destinations. Risky I.0205 Uses devices observed to frequently visit risky websites An observed identity demonstrates repeated browsing to malicious or high‑risk categories. Frequent exposure raises the likelihood of drive‑by downloads and phishing success. Risky I.0206 Disables screen lock or timeout An observed identity disables automatic locking on their device. Unattended sessions become accessible to anyone with physical proximity. Risky I.0207 Leaves devices unlocked in public or shared spaces An observed identity leaves endpoints unlocked in public or shared areas. This invites opportunistic access to data and credentials. Risky I.0208 Uses jailbroken or rooted mobile devices for work An observed identity connects modified mobile devices that bypass platform protections. Jailbroken or rooted endpoints are easier to compromise and harder to trust. Risky I.0209 Installs remote access tools without approval An observed identity installs remote control utilities without authorization. Unapproved remote access creates potential backdoors and increases takeover risk. Risky I.0210 Runs browser-based games or crypto mining on work devices An observed identity runs browser games or crypto‑mining scripts on corporate hardware. These workloads degrade performance, attract malware, and violate acceptable‑use policies. Risky I.0211 Operates outdated device models with unsupported hardware An observed identity uses aging hardware that no longer receives firmware or driver updates. Unsupported devices accumulate unpatched flaws and operational risk. Risky I.0212 Installs software updates promptly after release An observed identity applies patches promptly after release. Rapid updating shortens the window during which new vulnerabilities can be exploited. Vigilant I.0213 Locks devices during inactivity An observed identity consistently locks screens when stepping away. Enforcing idle protection reduces physical and shoulder‑surfing exposure. Vigilant I.0214 Isolates devices immediately after suspicious behavior An observed identity quickly disconnects or isolates a suspected‑compromised machine. Early containment limits spread and accelerates incident handling. Vigilant I.0215 Uninstalls unused or risky software proactively An observed identity removes unnecessary or risky applications proactively. Continuous pruning shrinks attack surface and improves device hygiene. Vigilant I.0216 Uses devices with full-disk encryption An observed identity maintains encryption enabled across assigned endpoints. Persistent full‑disk protection mitigates data loss from theft or decommissioning. Vigilant I.0217 Uses only approved USB devices for file transfers An observed identity uses only organization‑approved USB media. Trustworthy devices reduce malware introduction and uncontrolled data movement. Vigilant I.0218 Responds to EDR warnings before IT intervention An observed identity acts on EDR alerts without waiting for IT. Timely self‑remediation curtails dwell time and demonstrates security awareness. Vigilant I.0219 Avoids running executables from unverified sources An observed identity avoids executing unsigned or untrusted programs. Exercising caution with binaries reduces the risk of installing malware. Vigilant I.0220 Maintains baseline system configurations An observed identity preserves default security baselines such as firewall and UAC settings. Maintaining hardened configurations sustains intended control efficacy. Vigilant I.0221 Engages with endpoint health check tools proactively An observed identity willingly participates in posture scans and health checks. Proactive engagement supports continuous compliance and hardening. Vigilant I.0222 ### Relevance Endpoints are frequent attack targets, and their security posture directly impacts enterprise resilience. Monitoring patching, malware detections, and device settings reveals both vulnerabilities and compliance gaps. ### Why this matters This matters because insecure devices are often exploited as entry points for lateral movement. Ensuring device integrity helps organizations prevent compromises and sustain a secure baseline. ### Consequences of neglect Unaddressed weaknesses in endpoint security leave enterprises exposed to ransomware, malware persistence, and data theft, often leading to widespread operational disruption. Endpoint & Device Security - Risk Category \| Human Risk Management Framework ## Physical Security Risks # Physical Security C.07 How individuals interact with physical spaces and assets to protect sensitive environments. ## Indicators Search Badges in without badging out An observed identity enters a facility without recording corresponding exits. This anomaly may suggest tailgating, improper badge use, or manipulation of physical access systems, weakening accountability and complicating incident investigations. Risky I.0223 Badges out without prior badge in An observed identity records exit events without prior corresponding entries. This may indicate badge misuse, shared credentials, or physical security bypass, eroding the reliability of facility occupancy records. Risky I.0224 Allows additional person to enter without authorization An observed identity permits another person to enter a secure area without individual authorization. This behavior, often known as tailgating or piggybacking, increases the risk of unmonitored access and potential insider threats. Risky I.0225 Holds secure door open beyond expected duration An observed identity leaves a secure door open longer than standard thresholds allow. Extended open states can enable unauthorized entry, reduce the effectiveness of access controls, and compromise sensitive areas. Risky I.0226 Attempts to access unauthorized areas with badge An observed identity attempts to enter restricted areas where they lack clearance. Multiple denied access attempts may indicate insider reconnaissance, policy violations, or a compromised badge. Risky I.0227 Accumulates excessive denied access attempts An observed identity generates an unusual volume of denied badge attempts compared to peers or baseline patterns. Elevated denial rates can indicate credential misuse, privilege escalation attempts, or insider threat activity. Risky I.0228 Accesses facilities more frequently than expected An observed identity enters facilities at a frequency significantly above normal baselines. Excessive access may point to reconnaissance, data theft preparation, or circumvention of established duty patterns. Risky I.0229 Accesses facilities outside expected hours An observed identity accesses facilities at unusual hours, such as late nights or holidays. Off-hours access may suggest malicious intent, compromised credentials, or attempts to avoid detection. Risky I.0230 Accesses facilities using unexpected badge An observed identity appears in secure areas without matching badge activity, detected through surveillance or analytics. This discrepancy may signal badge cloning, credential sharing, or physical bypass of access controls. Risky I.0231 Accesses facilities while on leave An observed identity enters facilities despite being on documented leave. This misalignment with HR records can indicate credential misuse, insider risk, or a failure in badge deactivation processes. Risky I.0232 Accesses facilities after offboarding An observed identity gains facility access after termination or offboarding. This indicates serious deprovisioning failures, potential insider threats, or unauthorized continued access. Risky I.0233 Accesses multiple facilities simultaneously An observed identity records badge activity in multiple facilities or zones at the same time. This physical impossibility may suggest cloned credentials, badge sharing, or manipulation of access logs. Risky I.0234 Visits sensitive zones for unusually short durations An observed identity repeatedly enters sensitive zones but departs after very short intervals. Such patterns can indicate reconnaissance, insider scouting, or attempts to avoid detection while gathering information. Risky I.0235 Loiters in sensitive zones beyond expected durations An observed identity spends abnormally long periods in sensitive areas compared to typical usage patterns. Extended dwell time may suggest unauthorized activities, staging of insider operations, or preparation for data theft. Risky I.0236 Appears onsite while also appearing remote An observed identity shows simultaneous presence onsite and remote logins. This anomaly may reveal credential compromise, session hijacking, or inaccurate identity tracking across systems. Risky I.0237 Fails to display badge when onsite An observed identity is present onsite without visibly displaying their badge. This undermines visual security protocols, complicates identity verification, and increases the risk of unauthorized individuals blending in. Risky I.0238 Sponsors visitors more frequently than expected An observed identity sponsors visitors at a frequency exceeding typical baselines. Unusual sponsorship volume may indicate lax adherence to visitor vetting, facilitation of unauthorized access, or potential collusion. Risky I.0239 Attempts to sponsor unauthorized visitors An observed identity attempts to authorize visitors who are barred from access. This activity signals potential negligence, insider collusion, or efforts to bypass visitor controls. Risky I.0240 Fails to respond appropriately during security drills An observed identity does not follow required actions during emergency or security drills. Poor compliance undermines readiness, increases vulnerability during real incidents, and signals weak security culture. Risky I.0241 Fails clean desk policy audit An observed identity leaves sensitive information unsecured during a clean desk audit. Exposure of confidential data in shared or open spaces increases risks of data leakage, insider misuse, or compliance violations. Risky I.0242 ### Relevance This category maps non-digital access risks such as tailgating, badge misuse, or leaving devices unattended. It connects physical behaviors with digital exposure potential. ### Why this matters Physical controls are often overlooked but remain essential. An attacker with physical access can bypass digital protections entirely. Practitioners must ensure physical and cyber practices align. ### Consequences of neglect Weak physical security results in device theft, insider threat activity, and unauthorized access to sensitive data centers or workspaces, undermining all other layers of defense. Physical Security - Risk Category \| Human Risk Management Framework ## Social Engineering Risks # Social Engineering Risks C.08 How attackers exploit human psychology through tactics such as fear, trust, urgency, or overconfidence. ## Indicators Search Demonstrates susceptibility to authority exploitation An observed identity complies with fraudulent requests framed as coming from authority figures. Attackers exploit hierarchical trust (e.g., impersonating executives or IT staff) to coerce actions like fund transfers or system access, bypassing normal verification and governance processes. Risky I.0243 Demonstrates susceptibility to urgency and scarcity pressure An observed identity makes decisions under fabricated urgency or scarcity. Adversaries manufacture crises or time-limited opportunities to push hasty responses, leading to actions such as rushed approvals, insecure credential entry, or bypassing established controls. Risky I.0244 Demonstrates susceptibility to fear and intimidation An observed identity alters behavior due to threats or intimidation. Attackers leverage fear of punishment, loss, or exposure to override rational judgment, compelling risky actions like disclosing sensitive data or authorizing unauthorized access. Risky I.0245 Demonstrates susceptibility to trust and familiarity abuse An observed identity places trust in communications or interactions that appear familiar. Exploitation of trusted relationships enables adversaries to bypass skepticism, securing sensitive information or network access under the guise of legitimacy. Risky I.0246 Demonstrates susceptibility to reciprocity and obligation An observed identity feels compelled to reciprocate after receiving favors or perceived benefits. Attackers exploit this obligation bias by offering gifts, free tools, or assistance that subtly pressure the target to provide credentials, access, or other sensitive concessions. Risky I.0247 Demonstrates susceptibility to curiosity and novelty triggers An observed identity engages with content crafted to exploit curiosity or novelty. Lures such as leaked documents, sensational topics, or “secret” files trick targets into opening malicious links or files, exposing enterprise systems to compromise. Risky I.0248 Demonstrates susceptibility to greed and reward motivation An observed identity is motivated by promises of personal gain. Attackers leverage incentives such as prize offers, gift cards, or fraudulent investments to encourage disclosure of credentials or execution of unsafe actions, risking data loss or fraud. Risky I.0249 Demonstrates susceptibility to empathy and helpfulness An observed identity acts out of compassion or helpfulness without verifying legitimacy. Adversaries stage emergencies (e.g., stranded coworkers, distressed callers) to gain unauthorized access, exploit privileged systems, or elicit sensitive data. Risky I.0250 Demonstrates susceptibility to commitment and consistency An observed identity complies with escalating requests after an initial concession. Attackers exploit psychological pressure to “stay consistent,” moving from minor harmless asks to major compromises such as sharing passwords or granting privileged access. Risky I.0251 Demonstrates susceptibility to social proof and herd mentality An observed identity complies with requests framed as widely accepted or socially validated. Attackers exploit herd mentality, claiming that peers or leadership already took similar actions, reducing resistance and leading to risky behaviors like mass credential submission. Risky I.0252 Demonstrates susceptibility to overconfidence exploitation An observed identity is deceived despite believing they are invulnerable to manipulation. Overconfidence makes the target more likely to overlook warning signs, fall for fake “tests” or challenges, and inadvertently compromise enterprise security. Risky I.0253 Demonstrates susceptibility to fatigue and cognitive overload An observed identity succumbs to attacker persistence when overwhelmed. Adversaries exploit fatigue or information overload (e.g., MFA push bombing) to force acceptance of malicious requests, bypassing layered defenses. Risky I.0254 Demonstrates susceptibility to fear of missing out (FOMO) An observed identity responds to offers framed as exclusive or time-sensitive. Adversaries play on fear of missing opportunities to provoke rushed engagement, leading to disclosure of sensitive information or activation of unsafe processes. Risky I.0255 Demonstrates susceptibility to sympathy manipulation An observed identity makes decisions based on compassion or sympathy. Adversaries exploit humanitarian instincts through fabricated causes, disaster relief scams, or emotional stories, resulting in financial fraud or unauthorized access. Risky I.0256 Demonstrates susceptibility to pretexting deception An observed identity accepts false narratives crafted to justify attacker requests. By posing as auditors, regulators, or service staff, adversaries use pretexting to rationalize access to credentials, systems, or sensitive data, bypassing normal scrutiny. Risky I.0257 ### Relevance This category exposes susceptibility to manipulative techniques that prey on psychological vulnerabilities or cognitive biases to bypass technical defenses entirely. Social engineering isn't about a channel or attack vector, rather the exploitation of psychological vulnerabilities regardless of medium. Visibility into social engineering susceptibility allows organizations to predict and mitigate how individuals may respond under pressure. ### Why this matters This matters because people remain the most targeted element in cyberattacks. Recognizing which tactics are most effective against a workforce enables security leaders to craft stronger defenses and tailored awareness programs. ### Consequences of neglect Without mitigation, attackers can exploit psychological vulnerabilities to steal credentials, move laterally, or exfiltrate data, resulting in severe breaches. Social Engineering Risks - Risk Category \| Human Risk Management Framework ## Incident Response Readiness # Incident Response Readiness C.09 How effectively individuals report, escalate, and participate in incident response processes. ## Indicators Search Files incident tickets without actionable evidence An observed identity opens incidents lacking repro steps, time bounds, or artifacts, slowing triage and inflating MTTR. Risky I.0258 Misroutes or mislabels incident severity An observed identity assigns incorrect severity or routes to the wrong resolver group, creating rework and detection delays. Risky I.0259 Misclassifies or overuses incident reporting channels An observed identity generates excessive or misclassified incident tickets, which contributes to alert fatigue, obscures true threats among noise, and reduces the efficiency of security operations teams. Risky I.0260 Fails to recognize or detect security threats An observed identity consistently misses signs of compromise or social engineering during testing or real events, highlighting gaps in security awareness that leave the organization vulnerable to preventable attacks. Risky I.0261 Deviates from documented incident reporting workflows An observed identity bypasses established incident reporting processes, ignoring required workflows or controls, which leads to inconsistent handling, lost context, and diminished organizational readiness against real threats. Risky I.0262 Demonstrates gaps in incident participation or coordination An observed identity fails to coordinate effectively during incident response, neglecting collaboration, responsibility-sharing, or knowledge transfer, which weakens team resilience and slows down collective response. Risky I.0263 Delays or fails to complete assigned security training consistently An observed identity repeatedly misses deadlines for required security training or certifications, leaving critical knowledge gaps unaddressed and creating long-term risk to organizational resilience. Risky I.0264 Circumvents or evades security training platforms An observed identity circumvents training systems, such as skipping modules or finding shortcuts to mark content complete, resulting in minimal comprehension and a false sense of compliance with security requirements. Risky I.0265 Completes security awareness training with low engagement An observed identity superficially completes training modules with minimal interaction, indicating poor knowledge retention and leaving them ill-prepared to recognize or respond to real-world security threats. Risky I.0266 Completes training misaligned with role or risk responsibilities An observed identity completes training that does not match their job responsibilities or access level, leaving gaps in coverage for critical risk areas and undermining the effectiveness of the organization’s overall training program. Risky I.0267 Ignores or delays pager acknowledgments beyond SLA An observed identity fails to acknowledge urgent alerts on time, extending dwell time and delaying coordinated response. Risky I.0268 Creates duplicate incident tickets for the same event An observed identity opens redundant tickets for a single issue, fragmenting context and wasting analyst cycles. Risky I.0269 Shares incident details in public or unsanctioned channels An observed identity discusses sensitive incident details in open forums or DMs, risking data leakage and loss of evidentiary record. Risky I.0270 Performs containment without documenting actions An observed identity takes ad‑hoc response steps without recording rationale or timing, complicating forensics and PIR accuracy. Risky I.0271 Submits malformed or context‑free indicators An observed identity provides IOCs without format or context, causing rule errors and wasted hunting time. Risky I.0272 Mishandles or overwrites incident evidence An observed identity alters or loses key artifacts (e.g., reimages host before imaging), degrading investigative fidelity. Risky I.0273 Bypasses controls citing business urgency without approval An observed identity disables controls or delays patches without authorization, expanding the attack window during response. Risky I.0274 Fails to complete post‑incident actions An observed identity leaves remediation items open or overdue, allowing repeat incidents and audit findings. Risky I.0275 Declines or minimally engages in incident simulations An observed identity skips drills or participates passively, limiting readiness and weakening muscle memory. Risky I.0276 Embeds secrets or PII in free‑text fields An observed identity pastes credentials or patient data into unprotected notes, creating privacy and breach risk. Risky I.0277 Misses regulatory or customer notification triggers An observed identity overlooks notifiable events, increasing liability and contractual exposure. Risky I.0278 Acknowledges pager alerts within SLA An observed identity acknowledges high‑priority pages within defined SLAs, reducing time to triage and accelerating containment. Vigilant I.0279 Escalates incidents correctly on first attempt An observed identity routes critical incidents to the right team and severity on first pass, minimizing handoff latency. Vigilant I.0280 Attaches relevant evidence to incident tickets An observed identity includes logs, screenshots, hashes, and timestamps that enable rapid reproduction and triage. Vigilant I.0281 Correlates related alerts into a single incident An observed identity links duplicate or related alerts into one case, improving signal‑to‑noise and analyst focus. Vigilant I.0282 Uses approved channels for incident coordination An observed identity coordinates in sanctioned war‑room channels with logging and retention, preserving auditability. Vigilant I.0283 Documents containment actions with timestamps An observed identity records who did what and when (e.g., blocks, quarantines), enabling audit and rollback if needed. Vigilant I.0284 Provides high‑quality indicators of compromise An observed identity supplies normalized IOCs (hashes, IPs, domains) with context and dwell windows to drive detections. Vigilant I.0285 Follows playbooks and SOAR runbooks as written An observed identity executes documented steps for the scenario, reducing variance and human error under pressure. Vigilant I.0286 Preserves chain of custody for digital evidence An observed identity collects and stores artifacts with integrity controls, enabling admissible investigation outcomes. Vigilant I.0287 Requests emergency exceptions with proper approval An observed identity seeks time‑bound exceptions (e.g., control bypass) through formal approval paths with rollback criteria. Vigilant I.0288 Completes post‑incident action items on time An observed identity closes assigned PIR actions before due dates, preventing regression and strengthening controls. Vigilant I.0289 Leads effective incident handoffs across shifts An observed identity provides concise status, risks, and next steps, preventing stall during follow‑the‑sun operations. Vigilant I.0290 Participates in incident simulations with high engagement An observed identity actively practices playbooks, surfaces gaps, and applies learnings to production response. Vigilant I.0291 Uses secure storage for sensitive ticket data An observed identity stores secrets, PII/PHI, or regulated data in approved fields and vaults with retention controls. Vigilant I.0292 Requests timely legal/compliance notification when required An observed identity flags potential regulatory triggers (e.g., breach thresholds), enabling timely counsel engagement. Vigilant I.0293 ### Relevance The category captures frontline defense behaviors, including accurate ticketing, timely escalations, and participation in drills. It reveals readiness to detect, contain, and recover from threats. ### Why this matters Practitioners care because detection and containment speed determines breach impact. Strong human response readiness complements automated detection tools and reduces mean time to respond. ### Consequences of neglect If ignored, delays in detection, poor escalation, or lack of participation result in uncontrolled spread of threats, failed compliance obligations, and greater financial and reputational damage. Incident Response Readiness - Risk Category \| Human Risk Management Framework ## Remote Work Security Risks # Remote Work Risk C.10 How individuals manage security while working outside traditional office environments. ## Indicators Search Uses shared home device to access corporate systems An observed identity accesses corporate systems from a shared home device not under enterprise management. This increases exposure to malware, data leakage, and unauthorized access since other household members may use the same system. Risky I.0294 Logs in during unusual remote work hours An observed identity accesses corporate systems at unusual hours that deviate from expected work patterns. Such activity may indicate account compromise, misuse, or attempts to avoid detection. Risky I.0295 Generates repeated remote login failures An observed identity generates repeated remote login failures, suggesting possible brute-force activity, credential reuse, or attempts by unauthorized actors to compromise the account. Risky I.0296 Shares corporate credentials with household members An observed identity shares enterprise login credentials with household members. This undermines accountability, weakens identity assurance, and exposes corporate systems to uncontrolled access. Risky I.0297 Fails device posture checks during remote access An observed identity attempts remote access from a device that fails posture checks such as missing patches or outdated OS versions. This increases exposure to known vulnerabilities and unmanaged risk. Risky I.0298 Rarely connects to device management platform An observed identity rarely connects devices to endpoint management systems during remote work. This lack of telemetry reduces IT visibility, delays patch deployment, and creates blind spots for incident response. Risky I.0299 Delays applying patches while remote An observed identity delays applying software or OS patches while remote. This prolongs the vulnerability window and increases exposure to active exploitation campaigns. Risky I.0300 Disables device encryption outside office environments An observed identity disables disk encryption while remote, exposing stored data to theft or compromise if the device is lost or stolen. Risky I.0301 Uses unmanaged personal device for corporate access An observed identity uses personal devices not enrolled in enterprise controls to access corporate systems, bypassing monitoring, patch enforcement, and data protection policies. Risky I.0302 Copies corporate files to personal devices or media An observed identity transfers sensitive or regulated enterprise data to personal devices or removable media, bypassing data governance and creating risks of exfiltration. Risky I.0303 Accesses work apps from consumer devices An observed identity accesses corporate applications from consumer devices such as smart TVs or gaming consoles. These unmanaged platforms increase attack surface and bypass enterprise security controls. Risky I.0304 Installs unapproved remote access tools An observed identity installs unsanctioned remote access tools, creating unauthorized backdoors and bypassing enterprise visibility and logging mechanisms. Risky I.0305 Reuses home network credentials on corporate systems An observed identity reuses home or shared Wi-Fi credentials for enterprise accounts, weakening password hygiene and exposing systems to credential compromise. Risky I.0306 Configures auto-forwarding of work email to personal accounts An observed identity configures auto-forwarding of corporate emails to personal accounts, bypassing enterprise monitoring and enabling unmonitored data exfiltration. Risky I.0307 Shares sensitive data during screen sharing sessions An observed identity shares screens in remote meetings without restricting sensitive windows, creating risks of unintentional disclosure of confidential data. Risky I.0308 Records meetings without participant consent An observed identity records remote meetings without participant consent, creating regulatory risks and the possibility of sensitive data being stored outside secure repositories. Risky I.0309 Posts sensitive content in unsecured chat applications An observed identity pastes sensitive data into consumer-grade chat tools, bypassing enterprise controls and creating risks of exposure or compliance violations. Risky I.0310 Works remotely without connecting to VPN An observed identity works remotely without using the corporate VPN, reducing visibility for defenders, weakening encryption, and increasing exposure to man-in-the-middle attacks. Risky I.0311 Uses shared household accounts on corporate devices An observed identity uses shared household accounts on corporate systems, undermining accountability and making activity attribution difficult. Risky I.0312 Establishes simultaneous VPN sessions from different locations An observed identity establishes simultaneous VPN sessions from geographically distant locations, indicating possible account compromise or session hijacking. Risky I.0313 Uses outdated or insecure VPN protocols An observed identity connects using legacy or insecure VPN protocols, weakening encryption standards and exposing sessions to interception. Risky I.0314 Leaves work device unattended in public places An observed identity leaves corporate devices unattended in public spaces, increasing the likelihood of theft, tampering, or physical compromise. Risky I.0315 Enables video or audio in non-private settings An observed identity uses video or audio in public locations during meetings, risking inadvertent exposure of sensitive conversations or surroundings. Risky I.0316 Views sensitive data on screen in public areas An observed identity views confidential material on screen in public areas where bystanders may capture the content, creating inadvertent disclosure risks. Risky I.0317 Displays sensitive data on external monitors in public An observed identity projects sensitive data onto external monitors in public spaces, increasing the visibility of confidential material to unauthorized observers. Risky I.0318 Connects from unsecured or unknown Wi-Fi networks An observed identity connects from unsecured or unknown Wi-Fi networks, exposing communications to interception and session hijacking. Risky I.0319 Connects from geolocations inconsistent with work profile An observed identity connects from unusual or high-risk geolocations inconsistent with their work profile, suggesting account compromise or suspicious travel patterns. Risky I.0320 Uses open Wi-Fi networks without VPN An observed identity repeatedly accesses corporate resources from open Wi-Fi networks without VPN, leaving traffic unencrypted and vulnerable to interception. Risky I.0321 Uses corporate VPN consistently during remote work An observed identity consistently uses the corporate VPN while remote, ensuring encrypted communications and maintaining enterprise visibility. Vigilant I.0322 Applies privacy measures when working in shared spaces An observed identity applies privacy measures such as screen filters or private locations when working remotely, reducing risk of visual data exposure. Vigilant I.0323 Validates Wi-Fi security before connecting remotely An observed identity validates Wi-Fi security settings before connecting, ensuring encrypted communications and reducing exposure to rogue access points. Vigilant I.0324 Avoids printing or transporting sensitive documents An observed identity avoids printing or transporting sensitive documents outside enterprise environments, reducing the likelihood of physical data breaches. Vigilant I.0325 Uses blurred or virtual backgrounds during video calls An observed identity uses blurred or virtual backgrounds during video calls, preventing inadvertent disclosure of sensitive or personal environments. Vigilant I.0326 Connects regularly to device management platform while remote An observed identity ensures regular device check-ins with corporate device management platform during remote work, maintaining compliance and reducing monitoring blind spots. Vigilant I.0327 Uses encrypted platforms for file sharing An observed identity uses encrypted and sanctioned file-sharing platforms, ensuring confidentiality and auditability of sensitive materials. Vigilant I.0328 Restricts email use to enterprise-managed accounts An observed identity restricts all email use to enterprise-managed accounts, reducing the risk of data leakage and improving monitoring. Vigilant I.0329 Reviews remote work security policies regularly An observed identity regularly reviews and acknowledges remote work security policies, reinforcing compliance and awareness. Vigilant I.0330 Keeps personal and corporate accounts strictly separated An observed identity maintains strict separation of personal and corporate accounts, reducing accidental crossover and maintaining policy compliance. Vigilant I.0331 ### Relevance This category highlights risks from insecure networks, unmanaged devices, and blurred boundaries between personal and professional use. It emphasizes the need for consistent controls regardless of location. ### Why this matters This matters because remote work dissolves the enterprise perimeter. Organizations must account for distributed risk where visibility and enforcement are harder to maintain. ### Consequences of neglect Neglecting this category leads to increased exposure to credential theft, malware infection via public Wi-Fi, data leakage, and regulatory non-compliance. Remote Work Risk - Risk Category \| Human Risk Management Framework ## Digital Exposure Risk # Digital Exposure Risk C.11 How much sensitive personal or professional information about individuals is publicly available online. ## Indicators Search Appears in recent breach with corporate email An observed identity’s corporate email is present in a newly disclosed credential dump, increasing risk of targeted phishing and credential stuffing. Risky I.0332 Appears in multiple breaches within recent time period An observed identity shows repeated credential exposure across unrelated incidents, indicating persistent targeting or poor credential hygiene. Risky I.0333 Reuses exposed passwords across accounts Passwords tied to an observed identity match across separate dumps or stealer logs, raising the likelihood of account takeover via credential stuffing. Risky I.0334 Uses password pattern similar to exposed passwords Newly cracked strings show predictable variants of previously exposed passwords (e.g., year flips), reducing brute‑force effort required. Risky I.0335 Rotates credentials promptly after exposures After a breach hit, an observed identity resets affected credentials within defined SLAs, reducing window of exploitability. Vigilant I.0336 Appears in infostealer logs with corporate cookies Stealer telemetry lists valid session cookies for corporate apps, enabling silent account hijack without credentials. Risky I.0337 Exposes recovery codes or OTP seeds in stealer logs MFA recovery codes or TOTP secrets for an observed identity appear in logs, rendering MFA ineffective. Risky I.0338 Exposes corporate OAuth tokens or refresh tokens Token artifacts tied to corporate apps surface in dumps, enabling API access outside normal controls. Risky I.0339 Appears in stealer logs with browser auto‑fill data Saved credentials and PII from browser auto‑fill are harvested, widening abuse paths across services. Risky I.0340 Revokes exposed sessions and tokens within SLA After session/token exposure, an observed identity’s sessions get terminated promptly, limiting dwell time. Vigilant I.0341 Exposes API keys or cloud credentials in public repos Keys tied to an observed identity appear in public code or gists, enabling direct access to infrastructure or data. Risky I.0342 Exposes SSH private keys or key material Private keys associated to an observed identity are found in dumps or repos, allowing unauthorized host access. Risky I.0343 Removes exposed secrets within remediation SLA An observed identity eliminates public secrets and rotates dependent credentials quickly, shrinking exploit windows. Vigilant I.0344 Exposes personal identifiers linked to corporate identity PII (DOB, phone, address) tied to a corporate email surfaces in breach sets, enabling convincing social‑engineering and account resets. Risky I.0345 Exposes security questions and answers Challenge‑response pairs associated with an observed identity appear in dumps, weakening fallback authentication. Risky I.0346 Exposes government ID images or numbers High‑value identity documents (license, passport, SSN/TIN) are discovered, enabling impersonation and high‑impact fraud. Risky I.0347 Appears in SIM‑swap or account takeover chatter Threat‑actor forums reference the identity with telecom details or swap requests, increasing immediate ATO risk. Risky I.0348 Requests takedown for personal data exposures An observed identity initiates or supports takedown for doxxed PII, reducing persistence of exploitable data. Vigilant I.0349 Is impersonated by lookalike social or messaging accounts Adversaries create profiles mimicking an observed identity to harvest credentials or direct payments from coworkers. Risky I.0350 Is targeted in ransomware or extortion leak posts Leak sites or auction posts mention the identity or showcase their data, signaling heightened coercion risk. Risky I.0351 Is listed in company access for sale offers Dark‑web ads claim to sell access linked to the identity’s role or credentials, suggesting compromise or insider risk. Risky I.0352 Reports impersonation promptly via official channels An observed identity routes impersonation findings to security quickly, enabling fast takedown and comms control. Vigilant I.0353 Posts corporate data to paste sites or public bins Corporate snippets (keys, queries, customer data) attributed to the identity appear on paste services, enabling rapid replication. Risky I.0354 Shares internal documents on public file hosts Public file‑sharing links tied to the identity expose internal content beyond intended audiences. Risky I.0355 Removes public links and rotates exposed data quickly Publicly exposed links attributable to the identity are revoked and contents rotated within policy SLAs, limiting reach. Vigilant I.0356 Publishes contact details enabling high‑fidelity lures Public profiles list role, calendar, or org charts tied to the identity, improving attacker pretext quality. Risky I.0357 Suppresses public footprint of sensitive contact data The identity minimizes public exposure of corporate contact routes (direct dials, personal emails), lowering spear‑phish precision. Vigilant I.0358 Appears in breaches of critical third‑party vendors Vendor incidents include the identity’s credentials or PII, expanding indirect paths to enterprise compromise. Risky I.0359 Uses unique credentials across vendor portals Credentials observed at third parties differ from enterprise accounts, reducing cross‑site compromise risk. Vigilant I.0360 Acknowledges breach‑intel notifications within SLA The identity responds to exposure alerts rapidly, enabling faster resets and takedowns. Vigilant I.0361 Ignores breach‑intel notifications beyond SLA The identity fails to act on exposure alerts, leaving exploitable credentials or data active. Risky I.0362 Confirms credential reset for exposed accounts Downstream IdP logs show password changes or factor resets tied to the reported exposure. Vigilant I.0363 ### Relevance This category assesses exposure through breaches, leaks, or open-source intelligence that adversaries can weaponize. It shows how digital footprints affect enterprise attack surface. ### Why this matters This matters because attackers increasingly exploit personal information to craft targeted campaigns. Understanding digital exposure helps prioritize protection and employee education. ### Consequences of neglect If unmanaged, digital exposure provides adversaries with the intelligence needed for identity theft, spear phishing, and tailored attacks that bypass traditional defenses. Digital Exposure Risk - Risk Category \| Human Risk Management Framework ## Mobile Security Risks # Mobile Security C.12 How individuals use and secure smartphones and tablets for work purposes. ## Indicators Search Operates rooted or jailbroken mobile device An observed identity uses a rooted or jailbroken device, bypassing built-in OS safeguards and exposing the endpoint to malware, data theft, and unmonitored changes that weaken enterprise security controls. Risky I.0364 Disables full-disk encryption on mobile device An observed identity disables or fails to enable full-disk encryption, leaving sensitive enterprise data vulnerable to exposure in the event of device theft, loss, or unauthorized physical access. Risky I.0365 Connects mobile device to untrusted Wi-Fi An observed identity connects to an untrusted or malicious Wi-Fi network, exposing communications to interception, spoofing, or man-in-the-middle attacks that can compromise enterprise data and credentials. Risky I.0366 Fails to maintain secure VPN tunnel on mobile device An observed identity fails to establish or maintain a secure VPN tunnel, leaving sensitive traffic unencrypted and significantly reducing the enterprise’s ability to monitor and protect remote connections. Risky I.0367 Installs sideloaded or unapproved applications on mobile device An observed identity installs apps from untrusted sources outside sanctioned stores, increasing the likelihood of introducing malware, spyware, or unauthorized software into the enterprise environment. Risky I.0368 Grants excessive mobile app permissions An observed identity installs or uses apps with permissions beyond their intended purpose, raising the risk of data misuse, surveillance, or privilege abuse that can expose corporate information. Risky I.0369 Exhibits SIM swap indicators An observed identity’s device shows signs of SIM replacement or reassignment, suggesting a possible SIM swap attack that could allow adversaries to hijack communications or intercept MFA tokens. Risky I.0370 Removes or tampers with MDM profile An observed identity removes or alters the mobile device management (MDM) profile, disabling enterprise oversight and weakening the ability to enforce compliance and detect threats on the device. Risky I.0371 Operates mobile device from restricted geolocation An observed identity operates a device in a prohibited or high-risk geography, which may conflict with policy and expose the enterprise to heightened regulatory, espionage, or compliance risks. Risky I.0372 Lacks remote wipe capability on mobile device An observed identity’s device lacks remote wipe capability, preventing security teams from remotely erasing sensitive data if the device is lost, stolen, or compromised. Risky I.0373 Runs mobile device with preinstalled riskware An observed identity uses a device containing manufacturer-installed riskware or malicious firmware, which undermines trust in the endpoint and increases the attack surface for adversaries. Risky I.0374 Adheres to authorized mobile device maintenance An observed identity follows authorized device maintenance practices, applying only official updates, reporting anomalies, and avoiding unapproved modifications that could compromise endpoint integrity. Vigilant I.0375 Applies security patches on mobile device An observed identity applies patches promptly, ensuring mobile operating systems and apps remain up to date and reducing exposure to publicly known vulnerabilities. Vigilant I.0376 Maintains secure bootloader configuration on mobile device An observed identity maintains a locked bootloader and prevents unauthorized firmware installation, preserving device integrity and ensuring compliance with enterprise configuration baselines. Vigilant I.0377 Practices safe public Wi-Fi usage on mobile device An observed identity connects to trusted Wi-Fi networks and uses a VPN when on public networks, reducing exposure to interception and reporting anomalies that could indicate rogue hotspots. Vigilant I.0378 Installs apps on mobile device only from trusted sources An observed identity installs applications exclusively from approved sources, avoiding side-loading and reporting anomalies, thereby limiting malware risk and maintaining enterprise compliance. Vigilant I.0379 Adheres to secure BYOD policies An observed identity follows secure BYOD practices, enrolling personal devices into MDM and consenting to endpoint controls, ensuring corporate visibility and protection of sensitive resources. Vigilant I.0380 Applies least privilege to app permissions on mobile device An observed identity applies least-privilege principles to app permissions, granting only necessary access and preventing excessive data collection or potential abuse by third-party applications. Vigilant I.0381 Reports anomalies in SIM configuration on mobile device An observed identity reports abnormal SIM or mobile network activity, enabling early detection of SIM hijacking, unauthorized reassignment, or suspicious carrier behavior that could compromise identity assurance. Vigilant I.0382 Maintains MDM compliance An observed identity maintains compliance with mobile device management (MDM) requirements, avoiding tampering and notifying IT when controls appear degraded, ensuring visibility and consistent enforcement of policy. Vigilant I.0383 ### Relevance This category identifies risks tied to mobile endpoints, including device theft, malicious apps, and phishing delivered through mobile channels. ### Why this matters Practitioners must care because mobile devices are constant attack targets and often fall outside traditional security monitoring. Ensuring mobile controls prevents them from becoming weak links. ### Consequences of neglect Failure to secure mobile devices enables attackers to bypass enterprise protections, exfiltrate sensitive data, or compromise identity assurance mechanisms like MFA. Mobile Security - Risk Category \| Human Risk Management Framework ## Third-Party Risk Management # Third-Party Risk C.13 How external vendors, suppliers, contractors, or partners introduce risk into the enterprise. ## Indicators Search Violates security contract clauses An external organization fails to comply with contractual security clauses such as breach notification timelines, audit rights, or data protection requirements, exposing the enterprise to legal, regulatory, and operational risk. Risky I.0384 Fails to meet security standards An external organization does not meet declared security standards (e.g., ISO 27001, NIST), undermining assurance frameworks and weakening trust in their security posture. Risky I.0385 Grants excessive access privileges An external organization holds access beyond operational necessity, violating least privilege principles and creating opportunities for misuse, insider threat, or lateral movement. Risky I.0386 Uses unmonitored API integrations An external organization leverages unmonitored APIs, creating blind spots that increase the likelihood of unauthorized access, exfiltration, or undetected abuse of enterprise systems. Risky I.0387 Uses unapproved cloud providers An external organization operates in cloud environments that are not authorized by policy, introducing risks of misaligned controls, data residency issues, and regulatory non-compliance. Risky I.0388 Disposes sensitive data improperly An external organization fails to securely dispose of sensitive data, leading to lingering exposures, regulatory noncompliance, and increased risk of unauthorized recovery or misuse. Risky I.0389 Employs unverified subcontractors An external organization engages subcontractors without proper vetting or disclosure, creating hidden dependencies and uncontrolled risk exposure. Risky I.0390 Operates domain on watchlist An external organization operates infrastructure appearing on threat intelligence watchlists, suggesting elevated likelihood of compromise, malicious activity, or reputational damage. Risky I.0391 Has history of security breaches An external organization has a history of prior security breaches or incidents, signaling weaknesses in their controls and raising concern about recurrence. Risky I.0392 Lacks continuous security monitoring An external organization lacks continuous security monitoring, reducing visibility into active threats and delaying detection and containment of incidents. Risky I.0393 Supplies or operates vulnerable software or platforms An external organization distributes or deploys software with known vulnerabilities, directly exposing enterprise environments to exploitation. Risky I.0394 Lacks secure development practices An external organization fails to integrate secure coding practices into its software development lifecycle, leading to systemic weaknesses and recurring exploitable flaws. Risky I.0395 Faces financial or legal instability An external organization faces lawsuits, fines, or financial instability, raising concern over service continuity and increased supply chain risk. Risky I.0396 Skips insider background screening An external organization neglects background screening for insiders with access to sensitive systems, heightening the likelihood of insider threat and data misuse. Risky I.0397 Exhibits unusual access patterns An external organization demonstrates unusual access behaviors, such as anomalous geolocations or times, which may indicate compromised accounts or misuse. Risky I.0398 Uses shared or generic credentials An external organization relies on shared or generic credentials, eliminating accountability and complicating auditing, while increasing the risk of undetected misuse. Risky I.0399 Lacks monitoring of insider activity An external organization is not monitored for insider threats, leaving a blind spot in detecting malicious or negligent activity within enterprise systems. Risky I.0400 Fails to report employee departures An external organization does not communicate staff departures, allowing former personnel to retain unauthorized access and increasing risk of data misuse. Risky I.0401 Delays breach notification An external organization fails to notify about data breaches within contractual or regulatory timelines, amplifying legal exposure and delaying response. Risky I.0402 Transfers data without logging An observed identity associated with an external organization transfers sensitive data without audit logging, eroding visibility, hindering investigations, and creating regulatory noncompliance risk. Risky I.0403 Uses weak encryption standards An external organization employs outdated or weak encryption methods, exposing sensitive data to interception and noncompliance with regulatory requirements. Risky I.0404 Shares data with unapproved subprocessors An external organization shares enterprise data with subcontractors that are not approved, creating uncontrolled exposure and contractual violations. Risky I.0405 Lacks audit trail for data access An external organization fails to maintain tamper-proof audit trails for data access, complicating forensic investigations and undermining accountability. Risky I.0406 Fails to appropriately manage shadow IT use An external organization relies on unsanctioned IT tools, bypassing governance and creating unmonitored pathways for data leakage or compromise. Risky I.0407 Maintains third-party RBAC controls An external organization maintains dedicated role-based access controls for third parties, reducing privilege creep and supporting stronger accountability. Vigilant I.0408 Conducts regular and timely audits An external organization undergoes recurring audits for data, access, and compliance, strengthening assurance of ongoing security alignment. Vigilant I.0409 Requires use of organization-managed devices An external organization accesses enterprise systems only through organization-managed devices, ensuring MDM enforcement and consistent application of security controls. Vigilant I.0410 Meets contractual compliance obligations An external organization complies with contractual security obligations such as mandatory training, phishing simulations, and policy adherence, reinforcing alignment with enterprise risk expectations. Vigilant I.0411 ### Relevance This category captures risks when third-parties fail security, legal, or operational obligations. It also reveals how vendor practices influence enterprise resilience. ### Why this matters This matters because vendor ecosystems expand organizational attack surfaces. Breaches or missteps by partners can directly impact enterprise security posture. ### Consequences of neglect Unaddressed third-party risks cause cascading failures, contractual breaches, compliance penalties, and reputational harm, often outside direct organizational control. Third-Party Risk - Risk Category \| Human Risk Management Framework ## Cybersecurity Compliance Overview # Policy & Regulatory Compliance C.14 How the organization adheres to cybersecurity rules, standards, and legal obligations. ## Indicators Search Fails to maintain adequate audit trails for sensitive data access The organization operates in an environment where sensitive data access is not logged or tracked. This gap prevents investigators from determining who accessed regulated information, increasing the risk of undetected misuse or data loss. Risky I.0412 Allows circumvention of secure web gateways The organization allows users to bypasses corporate web gateways to reach unapproved or risky services. This circumvention undermines web filtering controls and increases exposure to malware, phishing, and data leakage. Risky I.0413 Fails to require acknowledgement of acceptable use policies The organization does not require acknowledgement of acceptable use policies. Without attestation, the organization cannot enforce accountability or demonstrate compliance in regulatory or contractual reviews. Risky I.0414 Does not review or address security training gaps The organization demonstrates incomplete or unassessed training progress. Without regular reviews of comprehension results, knowledge gaps persist, weakening the workforce’s ability to detect and respond to threats. Risky I.0415 Fails to regularly audit access to regulated systems The organization enables access to regulated systems without periodic access reviews. Missing audits increase the likelihood of privilege creep, inappropriate access, and compliance violations. Risky I.0416 Allows shadow IT use without policy enforcement The organization allows use of unapproved tools or platforms without governance. This shadow IT behavior introduces unmanaged risk and bypasses organizational controls for security and compliance. Risky I.0417 Allows transmission of business data via personal channels The organization allows sharing of business information over personal accounts or messaging tools. Such activity bypasses monitoring, creating untraceable data flows and elevating risk of leakage. Risky I.0418 Lacks effective user behavior analytics capability The behavior of identities in the organization is not monitored with an effective user behavior analytics capability. Without baselining activity, early warning signals of insider threat or negligent misuse may go undetected. Risky I.0419 Lacks RBAC enforcement on ePHI systems The organization enables access to electronic protected health information in systems without role-based controls. This absence increases the chance of inappropriate access and regulatory violations under HIPAA or similar standards. Risky I.0420 Lack modern authentication mechanisms to effectively manage privileged accounts The organization enables privileged access without modern authentication such as MFA or passwordless. This gap raises compromise risk and weakens oversight of sensitive accounts. Risky I.0421 Fails to participate in regular risk assessments The organization does not engage in required risk assessments. This neglect reduces awareness of vulnerabilities and leaves systemic risks unaddressed. Risky I.0422 Lacks sufficient review of policy exception requests The organization operates under policy exceptions that are not regularly reviewed. Unchecked exceptions can become permanent risk exposures and undermine policy enforcement. Risky I.0423 Grants policy exceptions without adequate revocation process The organization approves security exceptions that lack expiration or revocation. Without lifecycle controls, exceptions may persist indefinitely, increasing exposure. Risky I.0424 Extends policy exceptions beyond minimum requirement The organization enables users to continue to hold privileges after an exception should have expired. This lack of revocation prolongs risk and weakens governance over exceptions. Risky I.0425 Approves repeated exceptions to endpoint protection policies The organization enables users to disable or repeatedly request exceptions for endpoint protections. Repeated exceptions leave devices exposed to malware, intrusions, and regulatory non-compliance. Risky I.0426 Grants remote access without conditional controls The organization grants remote access without mandatory controls such as MFA or compliance checks. This creates high exposure to unauthorized entry from untrusted environments. Risky I.0427 Approved use of personal devices without device management or risk acceptance The organization enables access to enterprise resources from personal devices without device management or risk acceptance. This practice bypasses oversight, introducing unmanaged endpoints into the enterprise environment. Risky I.0428 Fails to centrally track policy exceptions The organization’s policy exceptions are not tracked centrally, leading to fragmented oversight and difficulty ensuring timely review or revocation. Risky I.0429 Fails to revoke policy exceptions in a timely manner The organization maintains exceptions after the risk environment has shifted. Failing to revoke exceptions promptly exposes systems to evolving threats. Risky I.0430 Fails to escalate critical infrastructure policy violations The organization fails to appropriately escalate policy violations on critical systems. This failure leaves high-value assets exposed and undermines operational resilience. Risky I.0431 Meets access control target metrics The organization consistently achieves access control metrics such as adoption of passwordless logins, MFA, and training completion, demonstrating adherence to enterprise security standards. Vigilant I.0432 Meets risk mitigation target metrics The organization consistently achieves enterprise metrics for risk reduction, such as phishing report participation or patch compliance, strengthening overall resilience. Vigilant I.0433 Enforces automated process for policy exceptions The organization is governed by automated systems for managing policy exceptions. Automated enforcement and revocation reduce the chance of lingering or improperly granted exceptions. Vigilant I.0434 Conducts audits of subordinate organizations The organization is part of regular audits targeting subordinate or leadership groups. These audits validate adherence to policy and reinforce a culture of accountability. Vigilant I.0435 Participates in cybersecurity culture initiatives The organization engages in organizational initiatives to promote cybersecurity culture. Participation strengthens awareness, reinforces expected behaviors, and fosters a resilient security-first mindset. Vigilant I.0436 ### Relevance This category surfaces where the organization enables users to bypass or neglect policies and compliance practices, increasing audit and regulatory risks. ### Why this matters Practitioners must care because compliance underpins trust with regulators, customers, and partners. Strong adherence also builds a culture of accountability and good security hygiene. ### Consequences of neglect Ignoring this category invites audit failures, regulatory fines, contractual breaches, and weakened governance structures that erode long-term resilience. Policy & Regulatory Compliance - Risk Category \| Human Risk Management Framework ## Human Use of AI # Human Use of AI C.15 How individuals interact with and apply AI systems within the workplace. ## Indicators Search Inputs secrets into AI prompts An observed identity enters credentials such as passwords, API tokens, or encryption keys into AI tools, exposing secrets to uncontrolled environments and creating risk of data compromise. Risky I.0437 Submits enterprise data to unmanaged AI platforms An observed identity provides sensitive corporate or regulated information to public AI services, bypassing enterprise safeguards and risking uncontrolled data retention or leakage. Risky I.0438 Inputs proprietary code into AI tools An observed identity submits proprietary application code to public AI tools, potentially exposing intellectual property, revealing vulnerabilities, or violating licensing obligations. Risky I.0439 Inputs customer PII into AI tools An observed identity enters customer personally identifiable information into AI platforms without anonymization, creating regulatory exposure and increasing the likelihood of privacy violations. Risky I.0440 Inputs sensitive HR or legal content into AI tools An observed identity submits confidential HR or legal documents to AI services, risking leakage of protected information and undermining privilege or compliance requirements. Risky I.0441 Exposes sensitive prompts during live sessions An observed identity enters sensitive prompts during live demos or screen shares, unintentionally disclosing confidential details to audiences or recording platforms. Risky I.0442 Uses unapproved AI applications An observed identity engages with unapproved AI platforms, bypassing enterprise oversight and introducing uncontrolled data handling or security risks. Risky I.0443 Uses personal AI accounts for work An observed identity relies on personal accounts to access AI services for business purposes, undermining enterprise monitoring, accountability, and data protection. Risky I.0444 Authorizes AI use outside job scope An observed identity approves AI-related initiatives beyond their functional remit, creating governance gaps and allowing deployment without adequate oversight or expertise. Risky I.0445 Implements AI-generated code without validation An observed identity introduces AI-generated code into enterprise systems without security review, increasing the risk of vulnerabilities, backdoors, or operational defects. Risky I.0446 Sends unverified AI responses to customers An observed identity forwards AI-generated content directly to customers without review, risking inaccuracies, reputational harm, or disclosure of unintended information. Risky I.0447 Uses AI to craft manipulative or misleading content An observed identity leverages AI tools to produce misleading or manipulative content, creating reputational, legal, or compliance risks for the enterprise. Risky I.0448 Inputs third-party copyrighted content into AI An observed identity provides copyrighted or licensed content to AI tools without proper rights, creating intellectual property infringement risk for the organization. Risky I.0449 Attempts to bypass AI safety controls An observed identity deliberately engineers prompts to bypass AI safety controls, increasing exposure to harmful outputs and undermining compliance with policy or regulation. Risky I.0450 Employs AI jailbreak techniques An observed identity exploits jailbreak techniques against AI systems to override controls, eliciting restricted outputs or enabling misuse of the technology. Risky I.0451 Probes AI models to extract training data An observed identity crafts probing queries to infer or reconstruct sensitive data embedded in AI training sets, risking exposure of proprietary or personal information. Risky I.0452 Persists with unsafe AI prompting An observed identity continues attempting risky or unsafe prompts despite prior failures, signaling intent to misuse AI or disregard for security policies. Risky I.0453 Deploys unvetted open-source AI models An observed identity deploys open-source AI models without security or compliance review, introducing unmonitored risk into the enterprise technology stack. Risky I.0454 Disregards enterprise AI policies An observed identity fails to follow organizational AI policies, undermining governance and creating inconsistent or unsafe practices. Risky I.0455 Accepts AI outputs without validation An observed identity relies on AI outputs without human validation, risking propagation of errors, misinformation, or unsafe recommendations into business workflows. Risky I.0456 Reviews prompts for sensitive data An observed identity carefully reviews AI prompts to ensure no sensitive information is included, reducing risk of data leakage to external services. Vigilant I.0457 Uses enterprise-approved AI platforms An observed identity consistently engages with enterprise-approved AI platforms, ensuring oversight, auditability, and compliance with security standards. Vigilant I.0458 Validates AI outputs against trusted sources An observed identity compares AI outputs against authoritative references, improving accuracy and reducing the risk of propagating false or misleading information. Vigilant I.0459 Discloses AI use in deliverables An observed identity transparently discloses AI involvement in deliverables, ensuring accountability and compliance with transparency expectations. Vigilant I.0460 Documents AI-assisted decisions An observed identity documents when AI contributes to business decisions, preserving an auditable trail that supports compliance, accountability, and governance reviews. Vigilant I.0461 Avoids AI-generated content in compliance-sensitive contexts An observed identity ensures compliance-sensitive outputs such as legal or regulatory filings are human-reviewed, avoiding sole reliance on AI outputs. Vigilant I.0462 Uses pre-approved AI prompt templates An observed identity uses pre-approved AI prompt templates, ensuring consistency, reducing sensitive data exposure, and aligning with enterprise-approved practices. Vigilant I.0463 Participates in AI model risk assessments An observed identity participates in model risk assessments, helping identify biases, unsafe behaviors, or performance gaps in enterprise AI systems. Vigilant I.0464 ### Relevance This category distinguishes between risky and vigilant uses of AI, highlighting data handling, policy alignment, and the quality of human oversight applied to AI-assisted tasks. ### Why this matters This matters because generative AI introduces new risks around data leakage, misinformation, and compliance. By monitoring human-AI interaction, organizations can enforce safe and effective practices. ### Consequences of neglect If left unmanaged, unsafe AI use leads to sensitive data exposure, unvetted outputs, and reputational or regulatory harm from inappropriate AI reliance. Human Use of AI - Risk Category \| Human Risk Management Framework ## Oversight of Autonomous AI # Agentic AI C.16 How organizations deploy and oversee autonomous AI agents in enterprise environments. ## Indicators Search Attempts to override AI guardrails An observed identity deliberately crafts prompts or inputs intended to override configured AI safety controls, attempting to bypass alignment restrictions and policy guardrails in order to obtain prohibited outputs. Risky I.0465 Launches AI agents without approval An observed identity initiates autonomous AI agent workflows without the required oversight or approval, removing safeguards designed to keep critical decision-making under human supervision. Risky I.0466 Runs privileged AI workflows without logging An observed identity executes AI-driven workflows with elevated access rights but disables or omits logging, preventing security teams from monitoring actions or reconstructing events in case of misuse. Risky I.0467 Grants AI agents excessive permissions An observed identity provisions AI agents with overly broad access—such as entire file systems or sensitive APIs—expanding the attack surface and introducing unnecessary pathways for misuse or compromise. Risky I.0468 Grants AI agents unnecessary write access An observed identity provides AI agents with write-level access to sensitive systems when read-only rights would suffice, increasing the likelihood of unintentional changes, data corruption, or malicious misuse. Risky I.0469 Configures AI agents to bypass safeguards An observed identity modifies AI agent configurations in ways that disable or weaken safety controls, such as removing content filters or alignment constraints, elevating the risk of harmful or unapproved outputs. Risky I.0470 Manipulates AI models to bias outputs An observed identity deliberately alters AI model parameters, weights, or memory to skew results toward biased or self-serving outcomes, undermining trustworthiness and introducing ethical and compliance risks. Risky I.0471 Leaves unmonitored AI agents in production An observed identity keeps fine-tuned AI agents running in production without monitoring or periodic retraining, allowing outdated models to behave unpredictably or expose the enterprise to new vulnerabilities. Risky I.0472 Schedules autonomous AI tasks without review An observed identity configures AI agents to run recurring or long-lived tasks without periodic oversight, creating risks if conditions change or the workflow scope expands unnoticed. Risky I.0473 Disables AI workflow logging An observed identity deactivates audit logging or alerting in AI workflows, removing forensic visibility and preventing detection of unauthorized or risky agent actions. Risky I.0474 Uses AI agents outside role authority An observed identity employs AI agents to make decisions in domains beyond their authority, such as financial approvals or HR actions, creating governance, compliance, and accountability risks. Risky I.0475 Reports unsafe AI agent behavior An observed identity identifies and reports anomalous or unsafe AI agent behaviors, helping security teams detect and address potential malfunctions, policy violations, or adversarial exploitation. Vigilant I.0476 Configures AI agents with least privilege An observed identity assigns only the minimal access necessary for AI agents to perform their tasks, adhering to least-privilege principles and reducing the potential blast radius of compromise. Vigilant I.0477 Reviews AI agent logs regularly An observed identity regularly audits execution logs and activity trails from AI agents, ensuring accountability, early detection of misbehavior, and ongoing compliance with enterprise policies. Vigilant I.0478 Seeks approval before launching autonomous AI workflows An observed identity obtains necessary approvals before enabling autonomous AI workflows, ensuring human oversight is maintained and preventing unvetted tasks from running unchecked in production environments. Vigilant I.0479 Enables real-time alerts for sensitive AI actions An observed identity configures monitoring systems to generate real-time alerts on sensitive AI agent actions, ensuring that deviations, anomalies, or unsafe behaviors are quickly identified and addressed. Vigilant I.0480 Terminates AI agents after task completion An observed identity terminates AI agents promptly after they complete assigned tasks, preventing unintended persistence, unauthorized activity, or ongoing consumption of system resources. Vigilant I.0481 ### Relevance This category focuses on ensuring AI agents remain accountable, operate within guardrails, and are continuously monitored. It highlights oversight mechanisms that reduce unintended consequences. ### Why this matters Practitioners must care because autonomous systems can act faster than humans and outside intended scope. Oversight ensures safety, transparency, and alignment with organizational policies. ### Consequences of neglect Uncontrolled agentic AI leads to unpredictable outputs, unauthorized actions, and cascading failures, creating enterprise-scale risks that are difficult to contain. Agentic AI - Risk Category \| Human Risk Management Framework ## Human Risk Management Phases of the Human Cyber Risk Framework: From Awareness to Mitigation - Human Risk Management Blog ## Evolving User Risk Case Study: How User Risk Evolves Over Time in Human Risk Management - Human Risk Management Blog ## Human-Centric Risk Insights Human-Centric Cyber Risk: Why People and AI Co-Workers Are the New Security Frontier - Human Risk Management Blog ## Human Risk Management # About Learn more about the Human Risk Management Framework Coming Soon This section will provide detailed information about: - •The origins and development of the framework - •Our team and contributors - •Mission, vision, and core principles - •Contact information and support ## Human Risk Management Blog ## Human Risk Framework ## Risk Categorization To understand human risk at an enterprise scale, we must first map its full breadth—that's where categories come in. Each of the categories below represents a distinct facet of how people interact with systems, data, and one another—helping us conceptually organize the many ways human behavior can impact risk. Within each category are unique risk indicators: specific, observable actions or events that signal a human's contribution—positive or negative—to cybersecurity risk. It's these indicators that enable organizations to identify, measure, and manage the full spectrum of human‑driven risk. Categories provide the structure; indicators provide the evidence. Search [Communication Security\\ \\ C.01\\ \\ How individuals use email, chat, messaging, and collaboration platforms to exchange information.](https://www.humanriskmanagement.com/framework/c.01) [Engagement & Awareness\\ \\ C.02\\ \\ How individuals participate in and retain knowledge from security education and engagement activities.](https://www.humanriskmanagement.com/framework/c.02) [Data Protection\\ \\ C.03\\ \\ How individuals handle, share, store, or exfiltrate sensitive or regulated information.](https://www.humanriskmanagement.com/framework/c.03) [Identity & Access Risk\\ \\ C.04\\ \\ How user identities, authentication methods, and permissions are used to access systems and data.](https://www.humanriskmanagement.com/framework/c.04) [Web & Cloud Usage\\ \\ C.05\\ \\ How individuals access internet resources and cloud-based services.](https://www.humanriskmanagement.com/framework/c.05) [Endpoint & Device Security\\ \\ C.06\\ \\ The condition, posture, and configuration of user devices, including desktops, laptops, and peripherals.](https://www.humanriskmanagement.com/framework/c.06) [Physical Security\\ \\ C.07\\ \\ How individuals interact with physical spaces and assets to protect sensitive environments.](https://www.humanriskmanagement.com/framework/c.07) [Social Engineering Risks\\ \\ C.08\\ \\ How attackers exploit human psychology through tactics such as fear, trust, urgency, or overconfidence.](https://www.humanriskmanagement.com/framework/c.08) [Incident Response Readiness\\ \\ C.09\\ \\ How effectively individuals report, escalate, and participate in incident response processes.](https://www.humanriskmanagement.com/framework/c.09) [Remote Work Risk\\ \\ C.10\\ \\ How individuals manage security while working outside traditional office environments.](https://www.humanriskmanagement.com/framework/c.10) [Digital Exposure Risk\\ \\ C.11\\ \\ How much sensitive personal or professional information about individuals is publicly available online.](https://www.humanriskmanagement.com/framework/c.11) [Mobile Security\\ \\ C.12\\ \\ How individuals use and secure smartphones and tablets for work purposes.](https://www.humanriskmanagement.com/framework/c.12) [Third-Party Risk\\ \\ C.13\\ \\ How external vendors, suppliers, contractors, or partners introduce risk into the enterprise.](https://www.humanriskmanagement.com/framework/c.13) [Policy & Regulatory Compliance\\ \\ C.14\\ \\ How the organization adheres to cybersecurity rules, standards, and legal obligations.](https://www.humanriskmanagement.com/framework/c.14) [Human Use of AI\\ \\ C.15\\ \\ How individuals interact with and apply AI systems within the workplace.](https://www.humanriskmanagement.com/framework/c.15) [Agentic AI\\ \\ C.16\\ \\ How organizations deploy and oversee autonomous AI agents in enterprise environments.](https://www.humanriskmanagement.com/framework/c.16) ## Human Risk Management Framework ## How We Built the Framework Creating a truly human-centric risk framework required more than theory, it had to reflect how risk actually shows up in the real world. As the framework evolves, it will integrate insights from leading standards like MITRE ATT&CK, and NIST, alongside industry research including Verizon's Data Breach Investigation Report and real-world enterprise log data to ensure the HRM Framework remains both comprehensive and practical. Each insight will be observable, measurable, and directly mappable to existing security controls. # Our Approach Building a robust framework requires more than organization, it demands relevance and real-world impact. We have focused on making risk signals meaningful, actionable, and grounded in the realities of enterprise security. Our approach includes: Aligned Framework Alignment We draw inspiration from leading frameworks—MITRE ATT&CK and NIST—but through a human lens, focusing on tactics and techniques that align to the risks specifically exposed by humans and agents. This has allowed us to fill key visibility gaps while complementing the existing standards around which effective modern enterprise security programs are modeled. Data-Driven Data-Driven Risk Signals We analyze anonymized organizational data, security incident reports, and API outputs from the most common controls in the modern enterprise security stack, to identify signals that surface quantifiable indicators of human risk. Statistical analysis reveals patterns and correlations that inform our risk categorization system. Measurable Measurable Risk Indicators Framework research draws on the experience of security practitioners, behavioral scientists, and risk management experts to provide insights into both practical challenges and emerging threats. This research surfaced insights into three core dimensions or risk: behavior risk (actions by users), threat exposure (what targets them), and inherent risk (risk by role or access). Each indicator captures a measurable signal of human cyber risk. Validated Expert Validation We are actively testing and requesting feedback from CISOs, SOC leaders, insider threat analysts, and industry partners to refine definitions, severity, and risk decay, ensuring the framework is practical and effective in dynamic environments. Actionable The Result A [HRM Framework](https://www.humanriskmanagement.com/framework) built not just to classify risk, but to drive decisions and ultimately operational action. Every insight is observable. Every signal will be mapped to industry frameworks. And every category is designed to support real-world action through mitigation recommendations. ## Ready to Apply Our Research? Grounded in data. Designed for scale. Built for security teams who are ready to manage human risk, proactively. [Explore the Framework](https://www.humanriskmanagement.com/framework) ## Human Risk Management # Implementation Practical guidance for deploying human risk management in your organization Coming Soon We're developing comprehensive implementation resources including: - •Step-by-step deployment guides - •Integration with existing security tools - •Organizational change management strategies - •Success metrics and KPI tracking