Our Approach
Building a robust framework requires more than organization, it demands relevance and real-world impact. We have focused on making risk signals meaningful, actionable, and grounded in the realities of enterprise security. Our approach includes:
We draw inspiration from leading frameworks—MITRE ATT&CK and NIST—but through a human lens, focusing on tactics and techniques that align to the risks specifically exposed by humans and agents. This has allowed us to fill key visibility gaps while complementing the existing standards around which effective modern enterprise security programs are modeled.
We analyze anonymized organizational data, security incident reports, and API outputs from the most common controls in the modern enterprise security stack, to identify signals that surface quantifiable indicators of human risk. Statistical analysis reveals patterns and correlations that inform our risk categorization system.
Framework research draws on the experience of security practitioners, behavioral scientists, and risk management experts to provide insights into both practical challenges and emerging threats. This research surfaced insights into three core dimensions or risk: behavior risk (actions by users), threat exposure (what targets them), and inherent risk (risk by role or access). Each indicator captures a measurable signal of human cyber risk.
We are actively testing and requesting feedback from CISOs, SOC leaders, insider threat analysts, and industry partners to refine definitions, severity, and risk decay, ensuring the framework is practical and effective in dynamic environments.
A HRM Framework built not just to classify risk, but to drive decisions and ultimately operational action. Every insight is observable. Every signal will be mapped to industry frameworks. And every category is designed to support real-world action through mitigation recommendations.