Fable announces our board-ready human risk reporting.
Read more about what your board expects of your security reports
Sign in
Book demo
Sign in
Book a demo

← resources

Toxic combinations: where human risk multiplies

Jamie Barnett

12/22/2025

featured

Day 9 of 12 days of riskmas (or, if you prefer, risk-mukah or the non-denominational risk-ivus)

The TL;DR

  • Risks that travel together are toxic combinations
  • Risk lift measures how often paired risks co-occur versus random chance
  • In one case, money handlers who fail phishing tests have a risk lift of nearly 2x
  • Targeting overlapping risks can deliver outsized security gains

There will be math. You’ve been warned.

Some risks are dangerous on their own. Others become even more hazardous when they collide. In our human risk report, we focus on toxic combinations: pairs of risky behaviors or exposures that occur together far more often than chance would predict. These overlaps are where security programs tend to lose control quietly, and where attackers find their easiest paths in.

To measure this effect, we look at what we’re calling “risk lift of toxic combinations” (if you think of a more clever name, we’re all ears). In simple terms, it compares how often two risks actually co-occur versus how often they should if they were unrelated. The math is straightforward: P(A∩B)/P(A)×P(B). Anything higher than 1.0 means the co-occurrence is higher than expected, and therefore toxic, meaning they amplify overall exposure.

We took several real-world examples from our anonymized data set, finding in one case that money-handlers who failed phishing simulations show a lift of 1.98—nearly double the overlap you’d expect by chance. That pairing alone signals a dangerous mix of access and susceptibility. In another case, employees with sensitive data access and no multi-factor authentication register a lift of 1.17. And a third example shows IT administrators who reuse passwords coming in at 1.13. Each number may look modest, but they reveal that weaknesses that travel together can stack the risk.

This is the hidden cost of treating risks as independent checkboxes. A phishing failure here, weak authentication there. On paper, each might seem manageable. In reality, the overlap is what matters. That’s where exposure accelerates and where breaches are most likely to begin.

The upside is clarity. Toxic combinations tell security teams exactly where to act. Instead of broad, blunt controls, leaders can target the people and behaviors that deliver the biggest risk reduction for the least effort. Fix the overlaps—not just the outliers—and the payoff compounds fast.

See, that math wasn’t so bad, was it?

Tune in tomorrow for a fun little review about measuring risk.

👉 Download the full report

👉 Download the infographic

Blog

Get fresh insights every week.
RESOURCES

Related resources

Explore guides, insights, and tools to strengthen your human defenses.

See more
Blog
Transform employees from targets to your first line of defense

Check out our launch from stealth with $31 million in funding and how we’re building the modern human risk platform—that shapes behavior directly.

Read more
Solution brief
Human risk,
meet your match

We reimagined human risk management with the best of Al, and it's simply delightful. Fable is the platform that directly shapes employee behavior.

Read more
ebook
The five must-haves of modern human risk management

The strategic playbook for data-driven, AI-powered human risk management at enterprise scale. Learn everything you need from a modern platform.

Read more