Day 1 of 12 days of riskmas (or, if you prefer, risk-mukah or the non-denominational risk-ivus)
The TL;DR
- Security teams see countless risky behaviors
- These ten human risks show up everywhere
- Top risks range from weak credentials to social engineering
- Targeting these risks with precise interventions is key to reducing exposure
- Download the full report for metrics, real-world examples, and insights to strengthen your human risk strategy for 2026
In our 12 days of riskmas (or, if you prefer, risk-mukah or the non-denominational risk-ivus) series, our second post focuses on 10 of the most common human risks we see across Fable customers. Security teams track all sorts of risky behaviors based on their unique environments and the signals they collect. Despite the differences from one organization to another, a familiar set of risks appears consistently. These are patterns that erode security posture and raise the likelihood of compromise.
1. Weak, reused, or shared credentials remain one of the most common vulnerabilities. When attackers can guess, reuse, or obtain a password, they can often walk straight into critical systems.
2. Failing to rotate credentials exposed in a breach leaves known-compromised keys in circulation. This gives attackers a ready-made entry point, even long after the initial incident.
3. Over-provisioned access—whether excessive privileges or time-bound access that was never revoked—expands the blast radius of any account compromise and violates the principle (or policy!) of least privilege.
4. Unpatched operating systems and software expose organizations to known vulnerabilities. Attackers routinely automate scans to exploit these gaps, often before defenders notice.
5. Weak MFA for critical applications undermines one of the strongest available safeguards. When MFA is optional, inconsistent, or poorly implemented, attackers can bypass authentication with relative ease.
6. Exposure of sensitive information in generative AI or cloud applications creates uncontrolled data sprawl. Once data leaves approved systems, monitoring and data policy enforcement become dramatically harder.
7. Secrets in code or private information stored in cleartext invite unintended access. These mistakes can surface system credentials, internal logic, personally-identifiable information, IP, or any non-public information to anyone who stumbles upon them.
8. Susceptibility to social engineering remains a top human risk. Attackers exploit trust, urgency, or confusion to trick users into revealing information or granting access.
9. Oversharing personal information online gives adversaries material to craft convincing phishing or impersonation schemes. The more public data available, the easier it is to target individuals.
10. Unsafe websites or unvetted browser extensions introduce hidden malware, tracking, or data exfiltration. Even small tools can become powerful attack vectors when installed widely.
To address these risks effectively, security teams must craft targeted interventions based on role, risk, specific behaviors, and business context. This means pairing high-quality detection with tailored guidance—delivering the right message, through the right channel, and at the moment the risky behavior occurs.
Ultimately, while the security landscape evolves constantly, the behaviors that introduce risk remain remarkably consistent. By understanding these patterns and responding with precise, context-aware interventions, organizations can meaningfully reduce exposure and strengthen their overall security posture.
Check in tomorrow (day 2) as we dive into the types of campaigns our customers are running, their maturity levels, and what they’re able to achieve with them.
