TL;DR—

Part 1 of a multi-part blog series on the data behind Fable’s Human Risk Report Vol. 2.

Human risk has a measurement problem.

At RSAC last week, I had a version of the same conversation roughly a dozen times.

Someone would walk up, we’d get to talking about human risk, and eventually I’d ask: how do you know your security awareness program is working?

The answers were depressingly consistent. Completion rates. Click rates on phishing simulations. “We saw engagement go up.”

Here’s what almost no one said: our employees actually changed their behavior.

That gap—between measuring activity and measuring behavior change—is what Fable’s Human Risk Report exists to close. 

Not with another opinion piece about why humans are the weakest link—we know, we’ve read them—but with actual numbers from actual organizations doing the work.

The risky behaviors we measured — and the changes we found.

The data in this report covers one fiscal quarter: November 1, 2025, through January 31, 2026. Hundreds of thousands of employees. Dozens of customers. Anonymized, aggregated, and illustrated with case studies where a single customer’s results were too instructive to leave out.

Here’s a taste of what’s inside:

The ten most common human risks we tracked—including three that are accelerating fast enough that we’d call them urgent: likely data handling violations, social engineering susceptibility, and unsafe browsing behavior. 

(The browser extension threat landscape alone got worse last quarter in ways that are genuinely alarming.)

A campaign maturity model for where your program actually sits—and what integration depth you need to go from “everyone gets the same video” to “we’re shaping specific behaviors in specific cohorts.” 

Twenty percent of Fable customers are running true behavior-change campaigns right now, and that number will go up by the time we run our next analysis.

The role-is-not-risk finding—which, frankly, should change how most security teams build their training cohorts. Across our customer data, the employees most likely to trigger a DLP violation weren’t in technology roles. They were in HR and Legal, with Executives 43% more likely to commit a data violation than anyone in a tech-related role. 

We’ll dig into this one in its own post, because the implications are significant.

Time to behavior change—not just whether employees changed a behavior, but how fast. The median, in a cohort of employees prompted to rotate breached credentials, was 1.8 days. The mean was 57.7. 

That spread is the story: most people act quickly when they’re given a clear reason to act, while a small holdout group requires a different approach entirely.

Toxic combinations—pairs of risks that co-occur far more often than chance would predict. Executives with breached credentials, for example? That pairing showed up 191% more often than you’d expect for one of our clients last quarter. 

That’s not a coincidence. That’s a behavior change priority.

Why we’re publishing the second Human Risk Report 

I’ll be honest: the team and I didn’t build this report for the press release. 

We built it because security teams deserve better benchmarks than “our employees completed the module.”

Every conversation I had at RSAC about human risk eventually hit the same wall—we’re doing stuff, but we can’t prove it’s working—when I know that’s a solvable problem.

So, with this report, I’m starting to lay the foundations for the fix.

This report is ours. Today, it’s bounded by a single quarter and customer set—and we’ll be the first to tell you it needs more time and more data before it becomes an industry benchmark. 

But the analysis? The data? The findings?

They’re all real. And we think it points to something true that matters beyond our own organizations and into yours.

Download it. Share it with your team. And come back over the next few weeks as we dig into each section.

Download Fable’s Human Risk Report