The TL;DR
- Boards want clarity on human risk; legacy metrics don’t cut it
- Fable’s board-ready reporting turns employee data into insights
- Understand human risk, what comprises it, and how it’s changed
- Show measurable impact and where to act next
- Watch our Fast Fable to see the reporting in action
For years, CISOs have dreaded presenting human risk to the board. Directors and executives want to understand how employee behavior affects company risk, but most CISOs have struggled to make that story clear, explainable, and actionable.
If they show human risk at all, it’s employees’ phishing simulation scores and awareness training completion rates—limited proxies for actual risk. They want to see actual risk, remediation plans, and program impact. Until now, most security leaders would pretty much just shrug and focus on the hard-data security metrics.
We’re changing that. Our new board-ready reporting turns human risk and behavior data into meaningful, explainable, and actionable statistics for executives and directors.
Here are seven metrics you will be able to see (or calculate) in Fable Security that your board will actually care about. These metrics reveal your organization’s human risk based on both inherent factors like their role and access, as well as behavioral factors such as their authentication hygiene, device health, data-sharing habits, credential strength, use of generative AI, susceptibility to social engineering, and more. They show the performance of programs you’ve tried so far, as well as where you should prioritize your next action.
1. Explainable risk score
What’s needed is a single, comprehensive, explainable score that captures your organization’s human risk posture. The operative descriptor is “explainable”: it should clearly show what risk factors comprise it and to what degree, what you have taken to reduce it, and the prioritized actions that could drive it down even further.
You should be able to see this risk and its factors at the organizational, departmental, regional, or individual level, as well as compare across departments or regions.
2. Riskiest behaviors
Boards are curious about what’s putting the organization at risk. Show the highest-impact behaviors, such as reused passwords, outdated OS software, sensitive data sharing in generative AI, failed phishing simulations, and more. Enumerating these behaviors shines a light on which ones move the needle the most, and grounds in reality all subsequent discussion about what investments to make.
3. Behavior change
Measure how much employee behavior improves from the prior reporting period or the start of your risk reduction campaign, as well as vis-a-vis your goal. For example, if you launched a campaign to encourage all employees with elevated system access to adopt a password manager, and you went from 20-80% compliance, you’d show a 60 percentage-point improvement, a four-fold increase in compliance, and a status of 80% of total goal.
4. Time-to-behavior change
How fast do people respond to your interventions? Show how many hours or days it takes to get your goal number of users to compliance (whether 50%, 75%, or 100% of the total cohort). For instance, if you’re being alerted to PII in cleartext in your systems and you have a zero tolerance for that behavior, you’ll need to measure how long it takes to drive that number to zero.
5. Emerging threats and most relevant targets
Beyond showing risky behavior, it’s good to show how much of a target your organization is, with a drill-down into what the most relevant threats are. For example, if you have a large trove of customer data, you might be a target of the cyber crime group ShinyHunters. Do one better, and show which cohorts of people are most at risk. In this scenario, it would be those with elevated access in CRM systems.
6. Social engineering heat map
Show which roles, teams, or regions are most frequently targeted, and how they perform in controlled tests. A visual heat map makes it instantly clear where defenses are working, and where you’re exposed.
7. Risk lift of toxic combinations
One of the more sophisticated (and useful) metrics is identifying where two factors combine to elevate risk. We call these “toxic combinations.” The metric compares how often two risky behaviors co-occur versus how often you’d expect them to if they were independent. If the ratio of P(X∩Y)/[P(X)×P(Y)] exceeds 1, those behaviors occur together more frequently than chance, indicating a positive association and a “toxic” risk lift. For example, employees with privileged access who also fail phishing simulations represent a high-risk combination.
To sum it all up
Boards don’t want more slides; they want clarity: the organization’s human risk, its primary factors, risk-reduction measures taken, and where to invest next. With board-ready reporting from Fable, you’ll be able to deliver those answers with confidence.
