TL;DR:

  • In April 2026, Gartner VP Analyst Richard Addiscott officially called for dropping “human risk management” as a market name, to replace HRM with secure behavior management (SBM)
    • We agree, and we’re making the switch across Fable.
  • The difference isn’t cosmetic. 
    • HRM treats employees as liabilities to measure and compensate for. 
    • SBM treats human behavior as a changeable: potential security assets.
  • Breach data analysis shows the HRM model has a ceiling, and peer-reviewed research explains exactly why we’ve been hitting it.

What “managing human risk” quietly assumes

Every social engineer understands that language encodes assumptions. That is, the words you pick to write or say assume something about the underlying context of the recipient to drive relevancy and action.

Let’s use the phrase “human risk management” as an example.

When you describe something as a risk to be managed, you’re making a quiet claim about its nature: that it is, fundamentally, a constant. 

You manage things you expect to persist. If you thought something could change, then you’d develop or coach them. 

That’s exactly what the previous “human risk management” market framing of Fable’s solution assumed: that your employees are a known, fixed quantity of unreliability.

You document it, score it, compensate for it with technical controls, and report the residual risk to your board. The annual phishing simulation isn’t designed to build anything. It’s designed to measure how broken the thing still is. 

You keep measuring the hole in the fence to see if it gets bigger, instead of thinking about how you repair it.

How did we get “human risk management”, anyway?

This term isn’t an accident. Security awareness training (SAT) and human risk management have their roots in financial compliance, not behavioral science. 

When SOX, HIPAA, and PCI-DSS made human-focused training a regulatory requirement in the early 2000s, SAT programs were designed to satisfy auditors. You needed a record that training occurred. You didn’t need proof that anything changed.

That compliance-first framing produced compliance-first programs, and that DNA persisted even as the market matured. Phishing simulations gave the liability a click rate. Risk scores gave the click rate a dashboard. 

But the underlying assumption never changed: humans are a liability you compensate for, not an asset you develop.

To be honest, we used the phrase as a way to quickly communicate Fable’s holistic approach to employee behavior management. However, it’s never sat well on us, as a complete way to describe what we do and what our mission is.

That’s why Addiscott’s article, “Why It’s Time to Drop ‘Human Risk Management’ as a Market Name”, immediately set Fable’s internal chats on fire a few weeks ago.

Because “secure behavior management” describes how Fable has challenged the assumption that behavior is fixed from the very start: that secure behavior can be managed, not just compensated for.

And the term isn’t being optimistic about human nature. Rather, it takes behavioral science seriously in a way that the previous, financial-based risk language never did.

Years of legacy “human risk management” barely moved the needle.

Verizon’s annual Data Breach Investigations Report (DBIR) tracked the human element in large-scale breaches for the last four years, with only marginal improvements.

  • 2022: 82% of breaches had some element of risky human behavior or accidental manual issue at play.
  • 2023: 74% 
  • 2024: 68%
    • Note that the apparent improvement is largely a methodology change, not necessarily a real one. 
  • 2025: 60%

While the reported stats seem trending positively, remember that even as employees come and go from organizations, the multi-billion dollar SAT industry has already sunk its roots into most companies. 

That is, if traditional versions of security awareness training worked, then the behavioral improvements should’ve been kept between organizations. 

Therefore, most of the recorded security exposures should have then been caused by new-to-the-workforce employees.

However, my previous experiences reading client security reports at an MDR and supporting in-house incidents shows that newbies aren’t the vulnerable population, with an interesting uptick in risky behaviors from employees with between one and five years tenure at any given organization

Initial research I conducted back in 2023 supports this lived experience, when we found that senior executives were four times more likely to have clicked a phishing link or shared company passwords than rank-and-file employees.

Why the “human risk” philosophy falters where “secure behavior” shines

Now, you can read those reports as evidence that humans are irredeemably fallible. 

Or, you can read them as evidence that the programs weren’t designed to change anything beyond compliance checkboxes. 

  • A 2024 meta-analysis of 69 SAT studies by researchers at Leiden University found that “while training programs are effective in changing knowledge, attitudes and other precursors to behaviour, they are less effective in triggering actual behaviour change.”
  • Another review of awareness training research by University of Adelaide researchers was equally direct: evidence on the success of legacy SAT programs in driving sustained behavioral change is limited.

Awareness went up. Behavior stayed flat, or was otherwise unable to be measured.

This is what behavioral scientists call the intention-behavior gap: the space between knowing the right thing and doing it under pressure, under deadline, under the social urgency of an email that looks like it’s from your CFO. 

But that gap doesn’t close because someone completed a module. If your program is designed to raise awareness or to manage a human liability, then completion is a success. 

If you actually believe people can change their behavior, then SAT completion rates and phish sim click tracking isn’t enough.

Turning human liabilities into compensating controls

In security architecture, a compensating control is a control you deploy when a primary control can’t fully address a risk. It actively mitigates exposure through a different mechanism. 

The previous “human risk management frame” treated humans as the gap that compensating controls exist to cover. 

Your multi-factor authentication (MFA) apps, your endpoint detection and response (EDRs), your secure email gateways (SEGs) — all are deployed because your employees can’t be trusted to close the loop themselves.

However, “secure behavior management” inverts that premise.

For example, an employee who recognizes a business email compromise attempt and picks up the phone to verify before processing a wire transfer is no longer your “weakest link” in the security fence.

They’re a detection layer, right alongside your SEGs and your EDR. 

That employee caught something no technical control flagged, in a context only a human could interpret, because they were trained for it, not just warned about it. 

That’s a compensating control. That’s an employee functioning as part of your security architecture, not doomed to be forever hole in your defenses-in-depth.

When Fable talks about building secure behavior programs rather than managing human risk, that’s exactly what we mean. 

The goal isn’t (just) a prettier dashboard or compliance trails. It’s an employee who acts differently, better, and more securely in their riskiest moments. Not because they’re afraid of being caught in a simulation, but because they’ve internalized what secure behavior looks like in the context of their actual work.

Richard Addiscott put his finger on why the old framing was always corrosive

You will struggle to win the hearts and minds of employees you want willingly adopting more secure behaviors if you start by referring to them as “human risks.”

In other words, you can’t build a positive security culture by telling people they’re the problem. You build it by treating them as part of the solution.

What “secure behavior management” means for how Fable talks about our work

We’re updating how we describe this across Fable: in our product, our content, and in how we talk to security leaders about what we’re building together.

That means you’ll hear more about how employees’ behaviors change over time.

We’ll work to talk less about which employees are your highest-risk liabilities. We’ll focus more on organizational cohorts which represent your best opportunities for behavior change, and how Fable’s clients achieved that. 

It’ll be less about managing a permanent liability, and more about developing your future security assets.

Because that’s what your employees are. They’re not a gap in your security architecture. They’re currently your most underdeployed compensating control.

In the meantime, if you’d like to dig into what a behavioral approach looks like in practice, from how you segment employees to how you measure what’s actually changing, download Modern Human Risk Management for Dummies”, no email required.

(And yes, the title is ironic in retrospect. Consider it an artifact of the era we’re leaving behind.)

*Editorial note: I’ve had to resort to anecdotal support for my “people with tenure demonstrate more risky behaviors than new-to-the-company or new-to-the-workforce” statement, as it’s an under-researched dissection of known human behaviors, aside from that original research I did back in 2023 on willful executive misconduct.

Now, isn’t that interesting? It’s almost as though most security vendors treat people like a single monolithic vulnerability, instead of a multi-variable and dynamic opportunity…