Fable announces our board-ready human risk reporting.
Read more
Sign in
Book demo
Sign in
Book a demo

Month: October 2025

Exec-ready human risk reporting with Dayton Children’s Hospital

Posted on by Fable Security

We just launched exec-ready human risk reporting—a new way to show executives and boards what really matters.

In this 15-minute* Fast Fables session, Fable CEO Nicole Jiang, CIO J.D. Whitlock of Dayton Children’s Hospital, and Chief Customer Officer Jamie Barnett reveal how to move beyond clicks and completions with clear, explainable metrics that quantify your true human risk. See how organizations can benchmark performance, pinpoint high-risk behaviors, and take fast, targeted action with Fable’s new executive dashboard and AI-powered insights.

Yes, it’s really 15 minutes. No fluff—just the good stuff. Watch the recording above.

FAQs

1. You mentioned interventions. How do those work?

In Fable, you can drill down from the risk score to the risk factors, and from there, to the specific behaviors driving that score. For insecure behaviors, Fable recommends a targeted intervention, such as a short video briefing or nudge, which can be delivered to the affected cohort. Interventions run like training or phishing campaigns, with full performance tracking: engagement, completion, and actions taken (e.g., OS updates, MFA adoption, or corrected data sharing).

2. Does this require deep integrations to get started?

Not at all. Fable offers multiple paths to value depending on your setup. You can launch quickly with minimal configuration, like uploading a user list, to run phishing simulations and awareness campaigns, even on timely or targeted topics. Integrations unlock deeper insight and automation, but they’re optional to start seeing impact.

3. How hard is it to get this kind of reporting if our data is fragmented across different tools?

That’s where most teams begin. Fable can generate meaningful insights even from partial datasets, then progressively enrich reporting as integrations expand. You don’t need a perfect data landscape to start identifying risk patterns.

4. What makes up the risk score?

The risk score combines multiple factors—such as authentication hygiene, device security, and data handling—each tied to measurable user behaviors. You can drill down to see which specific habits (like weak MFA or unsafe file sharing) contribute to each factor, providing transparency into the “why” behind the score.

Goat rodeo security: reducing human risk amid chaos

Posted on by Curtis Casella

The TL;DR

  • Human behavior is the most targeted attack surface.
  • You can’t patch people—but you can shape behavior.
  • Security must meet people where they are.
  • The modern playbook blends threat intelligence and behavioral science.

If you’ve ever tried to secure an organization in a high-stakes, fast-moving environment, you know it’s less like a chess game and more like a goat rodeo. That’s how Steve Tran, former CISO of the Democratic National Committee (DNC), describes leading security through periods of rapid growth and intense public scrutiny—where thousands of new staffers, volunteers, and devices might come online in a matter of weeks, and every click carries risk.

“We weren’t just defending systems,” Tran said at this week’s post-keynote fireside chat at Infosec World 2025 in Orlando with Fable Security CEO Nicole Jiang and Sean Coyne, Head of Cybersecurity at MagicSchool AI. “We were trying to influence people’s behavior—and do it at scale.”

Tran faced a truth that every CISO eventually encounters: you can’t patch people. Firewalls and compliance dashboards only go so far. His team had to help employees recognize risk in the moment: spotting a deepfake, questioning an unusual link, protecting personal devices, and thinking twice before responding to unexpected outreach on a dating website. “People aren’t trying to be careless,” he said. “They’re human. Their behavior is a feature, not a bug. People want to be helpful, to click, to respond. Our job was to meet them where they were.”

That viewpoint guided his philosophy more broadly as a CISO, especially when it came to human risk. His advice: minimize friction. Instead of, say, trying to shoehorn people into a complex password system, start a passwordless authentication program. Rather than rely on one-off training, he focused on shaping secure behavior, such as updating OSs and adopting security tools, through nudges and reminders. “It’s not about lecturing people,” he said. “It’s about designing experiences that make the secure thing also the easy thing.”

Coyne, a longtime SOC leader turned advisor, built on Tran’s points. “When you think of attackers as just being evil, that’s fine, but you should think of them as being efficient,” he explains. “They’re trying to maximize their ROI. Think of them as clever, hungry, and opportunistic. They don’t want to expend a lot of effort, so they’re going to try to attack targets where they’re weakest, and that’s almost always the human. So at a very high-level, don’t focus on maximizing your strengths. You’ve got to focus on minimizing your weaknesses, and that’s what’s going to reduce your risk profile the most.” 

For Coyne, the modern playbook means blending threat intelligence and behavioral science—understanding how people work, why they make certain decisions, and how to guide them at the right moment for the greatest impact.

Both leaders agreed: the old “training and phishing” model is outdated. “Security has to be personal, contextual, and ongoing,” Tran said. Coyne added, “The network isn’t the choke point anymore. The human is. If you don’t understand how your people think, you’ll never understand how your attackers win.”

At Fable, that’s exactly the shift we’re helping organizations make—turning human behavior from a liability into a strength. Because the goat rodeo isn’t just happening in campaigns. It’s happening everywhere.

7 human risk metrics your board wants, and you can deliver (finally!)

Posted on by Sanny Liao

The TL;DR

  • Boards want clarity on human risk; legacy metrics don’t cut it
  • Fable’s board-ready reporting turns employee data into insights
  • Understand human risk, what comprises it, and how it’s changed
  • Show measurable impact and where to act next
  • Watch our Fast Fable to see the reporting in action

For years, CISOs have dreaded presenting human risk to the board. Directors and executives want to understand how employee behavior affects company risk, but most CISOs have struggled to make that story clear, explainable, and actionable.

If they show human risk at all, it’s employees’ phishing simulation scores and awareness training completion rates—limited proxies for actual risk. They want to see actual risk, remediation plans, and program impact. Until now, most security leaders would pretty much just shrug and focus on the hard-data security metrics.

We’re changing that. Our new board-ready reporting turns human risk and behavior data into meaningful, explainable, and actionable statistics for executives and directors. 

Here are seven metrics you will be able to see (or calculate) in Fable Security that your board will actually care about. These metrics reveal your organization’s human risk based on both inherent factors like their role and access, as well as behavioral factors such as their authentication hygiene, device health, data-sharing habits, credential strength, use of generative AI, susceptibility to social engineering, and more. They show the performance of programs you’ve tried so far, as well as where you should prioritize your next action.

1. Explainable risk score

What’s needed is a single, comprehensive, explainable score that captures your organization’s human risk posture. The operative descriptor is “explainable”: it should clearly show what risk factors comprise it and to what degree, what you have taken to reduce it, and the prioritized actions that could drive it down even further.

You should be able to see this risk and its factors at the organizational, departmental, regional, or individual level, as well as compare across departments or regions.

2. Riskiest behaviors

Boards are curious about what’s putting the organization at risk. Show the highest-impact behaviors, such as reused passwords, outdated OS software, sensitive data sharing in generative AI, failed phishing simulations, and more. Enumerating these behaviors shines a light on which ones move the needle the most, and grounds in reality all subsequent discussion about what investments to make.

3. Behavior change

Measure how much employee behavior improves from the prior reporting period or the start of your risk reduction campaign, as well as vis-a-vis your goal. For example, if you launched a campaign to encourage all employees with elevated system access to adopt a password manager, and you went from 20-80% compliance, you’d show a 60 percentage-point improvement, a four-fold increase in compliance, and a status of 80% of total goal.

4. Time-to-behavior change

How fast do people respond to your interventions? Show how many hours or days it takes to get your goal number of users to compliance (whether 50%, 75%, or 100% of the total cohort). For instance, if you’re being alerted to PII in cleartext in your systems and you have a zero tolerance for that behavior, you’ll need to measure how long it takes to drive that number to zero. 

5. Emerging threats and most relevant targets

Beyond showing risky behavior, it’s good to show how much of a target your organization is, with a drill-down into what the most relevant threats are. For example, if you have a large trove of customer data, you might be a target of the cyber crime group ShinyHunters. Do one better, and show which cohorts of people are most at risk. In this scenario, it would be those with elevated access in CRM systems. 

6. Social engineering heat map

Show which roles, teams, or regions are most frequently targeted, and how they perform in controlled tests. A visual heat map makes it instantly clear where defenses are working, and where you’re exposed.

7. Risk lift of toxic combinations

One of the more sophisticated (and useful) metrics is identifying where two factors combine to elevate risk. We call these “toxic combinations.” The metric compares how often two risky behaviors co-occur versus how often you’d expect them to if they were independent. If the ratio of P(X∩Y)/[P(X)×P(Y)] exceeds 1, those behaviors occur together more frequently than chance, indicating a positive association and a “toxic” risk lift. For example, employees with privileged access who also fail phishing simulations represent a high-risk combination.

To sum it all up

Boards don’t want more slides; they want clarity: the organization’s human risk, its primary factors, risk-reduction measures taken, and where to invest next. With board-ready reporting from Fable, you’ll be able to deliver those answers with confidence.

Upend what your board expects of your security reports

Posted on by Nicole Jiang

The TL;DR

  • Boards are asking for clarity on human risk—beyond phishing and training
  • With our board-ready reporting, CISOs can show risk with metrics that matter
  • With Fable, you can tell a crisp narrative of progress, proof, and accountability
  • Watch our Fast Fable to see the dashboard in action

For years, CISOs have walked into boardrooms armed with the same slide deck: threat counts, patch compliance, incident trends, phishing clicks, and training completions. The numbers look precise and the charts are neat, but they don’t answer the question boards are asking: what’s our human risk?

Where does risky behavior actually live in the organization? What drives it? How quickly are we fixing it? And are we getting safer…or just busier?

From systems to humans

For too long, security updates have focused on systems, not people. The board gets metrics like vulnerabilities closed or endpoints patched, but little visibility into the everyday human decisions that make or break security. The weak link is rarely the firewall; it’s more often the reused password, the unpatched laptop, or the sensitive data pasted into generative AI. We know this. We just haven’t had the right metrics to quantify it.

Drive clarity and alignment

Boards and executives aren’t asking for more detail. They’re asking for clarity. They want to know three things, in plain language and explainable terms:

  1. What’s our organizational human risk?
  2. What comprises that risk?
  3. What are we doing about it?

Traditional metrics like phishing click rates and awareness training completions are proxies for risk, but they aren’t actual risk. Boards don’t want to hear, “We delivered more trainings.” They want to understand, “Credential reuse dropped by 45% across people with access to sensitive data this quarter.” That shift—from activity reporting to outcome reporting—is what changes everything.

From compliance to comprehension

The new gold standard in security reporting isn’t about compliance; it’s about comprehension. That means metrics need to be both explainable and actionable. With Fable Security’s board-ready reporting, CISOs can now quantify human risk with precision and context. That includes:

  • A comprehensive risk score that shows what drives it and how it’s trending
  • A view of the riskiest behaviors across people and teams
  • Behavior change metrics that track program impact over time
  • Time-to-behavior change, showing how quickly employees respond to your guidance
  • Social engineering heat maps that visualize where people are most targeted and how they perform

These metrics tell a clear story: where human risk lives, how it’s evolving, and what’s working to reduce it.

The next board meeting will sound different

Picture your next security update. Instead of walking through threat counts, you open with: 

“Our organizational human risk score improved by 18% this quarter. Credential reuse is down 50%, and we’ve cut time-to-OS update from 25 to 4 days. This means we’ll be about half as susceptible to most of the attacks that take advantage of credential reuse, and we’ve closed our device update exposure window to avoid most exploits. Our next priority is to reduce risky data-sharing in AI tools.”

That’s not a compliance update—it’s a narrative of progress, proof, and accountability.

Raising board expectations

The human risk story boards are expecting is changing from clicks and completions to metrics that really show what’s going on. Security leaders who can tell that story clearly will reshape how the board thinks about cyber risk altogether. By turning human behavior data into board-ready insights, we’re helping our security leader partners redefine what “good security reporting” looks like. The next time you brief your board, don’t just meet their expectations. Upend them.