Tag: featured

For years, CISOs have dreaded presenting human risk to the board. Directors and executives want to understand how employee behavior affects company risk, but most CISOs have struggled to make that story clear, explainable, and actionable.

If they show human risk at all, it’s employees’ phishing simulation scores and awareness training completion rates—limited proxies for actual risk. They want to see actual risk, remediation plans, and program impact. Until now, most security leaders would pretty much just shrug and focus on the hard-data security metrics.

We’re changing that. Our new board-ready reporting turns human risk and behavior data into meaningful, explainable, and actionable statistics for executives and directors. 

Here are seven metrics you will be able to see (or calculate) in Fable Security that your board will actually care about. These metrics reveal your organization’s human risk based on both inherent factors like their role and access, as well as behavioral factors such as their authentication hygiene, device health, data-sharing habits, credential strength, use of generative AI, susceptibility to social engineering, and more. They show the performance of programs you’ve tried so far, as well as where you should prioritize your next action.

1. Explainable risk score

What’s needed is a single, comprehensive, explainable score that captures your organization’s human risk posture. The operative descriptor is “explainable”: it should clearly show what risk factors comprise it and to what degree, what you have taken to reduce it, and the prioritized actions that could drive it down even further.

You should be able to see this risk and its factors at the organizational, departmental, regional, or individual level, as well as compare across departments or regions.

2. Riskiest behaviors

Boards are curious about what’s putting the organization at risk. Show the highest-impact behaviors, such as reused passwords, outdated OS software, sensitive data sharing in generative AI, failed phishing simulations, and more. Enumerating these behaviors shines a light on which ones move the needle the most, and grounds in reality all subsequent discussion about what investments to make.

For years, CISOs have walked into boardrooms armed with the same slide deck: threat counts, patch compliance, incident trends, phishing clicks, and training completions. The numbers look precise and the charts are neat, but they don’t answer the question boards are asking: what’s our human risk?

Where does risky behavior actually live in the organization? What drives it? How quickly are we fixing it? And are we getting safer…or just busier?

From systems to humans

For too long, security updates have focused on systems, not people. The board gets metrics like vulnerabilities closed or endpoints patched, but little visibility into the everyday human decisions that make or break security. The weak link is rarely the firewall; it’s more often the reused password, the unpatched laptop, or the sensitive data pasted into generative AI. We know this. We just haven’t had the right metrics to quantify it.

Drive clarity and alignment

Boards and executives aren’t asking for more detail. They’re asking for clarity. They want to know three things, in plain language and explainable terms:

1. What’s our organizational human risk?
2. What comprises that risk?
3. What are we doing about it?
   

Traditional metrics like phishing click rates and awareness training completions are proxies for risk, but they aren’t actual risk. Boards don’t want to hear, “We delivered more trainings.” They want to understand, “Credential reuse dropped by 45% across people with access to sensitive data this quarter.” That shift—from activity reporting to outcome reporting—is what changes everything.

From compliance to comprehension

The new gold standard in security reporting isn’t about compliance; it’s about comprehension. That means metrics need to be both explainable and actionable. With Fable Security’s board-ready reporting, CISOs can now quantify human risk with precision and context. That includes:

• A comprehensive risk score that shows what drives it and how it’s trending
• A view of the riskiest behaviors across people and teams
• Behavior change metrics that track program impact over time
• Time-to-behavior change, showing how quickly employees respond to your guidance
• Social engineering heat maps that visualize where people are most targeted and how they perform
  

These metrics tell a clear story: where human risk lives, how it’s evolving, and what’s working to reduce it.

The next board meeting will sound different

Picture your next security update. Instead of walking through threat counts, you open with: 

“Our organizational human risk score improved by 18% this quarter. Credential reuse is down 50%, and we’ve cut time-to-OS update from 25 to 4 days. This means we’ll be about half as susceptible to most of the attacks that take advantage of credential reuse, and we’ve closed our device update exposure window to avoid most exploits. Our next priority is to reduce risky data-sharing in AI tools.”

That’s not a compliance update—it’s a narrative of progress, proof, and accountability.

Raising board expectations

The human risk story boards are expecting is changing from clicks and completions to metrics that really show what’s going on. Security leaders who can tell that story clearly will reshape how the board thinks about cyber risk altogether. By turning human behavior data into board-ready insights, we’re helping our security leader partners redefine what “good security reporting” looks like. The next time you brief your board, don’t just meet their expectations. Upend them.

Most organizations have a BYOD program. This saves money and makes employees happier, but it can also be risky. That’s because personal devices have fragmented security postures: outdated operating system software, unvetted apps, shared usage, and configurations that can open doors for attackers or human error.

When personal laptops and smartphones connect to your network, access corporate applications, and handle sensitive communications, they effectively become part of your security perimeter. You can protect these interactions through technical controls (like VPNs, MDM, and endpoint detection solutions). But ultimately, many settings and behaviors come down to the device owner. That’s where human risk management comes in: helping employees configure and use their devices in ways that reduce exposure.

Four common risk areas include device hygiene, access control, connectivity, and data handling. Here are some of the lapses we see in our human behavior data lake here at Fable Security, and some advice for addressing them in a targeted way.

Device hygiene

People aren’t always on top of their device hygiene—whether smartphones, tablets, or laptops. They delay OS updates, skip lock-screen protections, and forget to update anti-malware (or don’t have their anti-malware configured properly). That leaves exploitable vulnerabilities and weakens built-in security. Some jailbreak their smartphones, putting them at higher risk for malware. On laptops, people run unsupported operating systems and disable full-disk encryption, making them an easy target for attackers or exposing important data if the laptop is stolen.

Access control

Access controls on personal devices are often weaker than on company-issued ones. Employees reuse passwords across personal and work accounts, store corporate logins in unsecured browsers, and rely on weak PINs and easily bypassed biometrics. Saved credentials in mobile apps can also expose company systems if the device is lost or stolen. Without MFA enforced across accounts, attackers have an easy path in. The result is that an otherwise secure application can be compromised simply because the device is unsecured.

Connectivity

Connectivity habits are another weak link. Employees join public Wi-Fi networks in airports or cafés without a VPN, making them vulnerable to man-in-the-middle attacks. Smartphones paired with untrusted Bluetooth devices or personal hotspots can expose sensitive traffic. Unsecured laptop tethering creates similar risks. These are small conveniences for employees, but each one broadens the attack surface and can make corporate data easier to intercept.

Data handling

The line between personal and work data blurs quickly on BYOD devices. Auto-backups can push corporate files into personal iCloud or Google Drive accounts. Screenshots of sensitive information can land in smartphone photo galleries. Employees can save work documents to personal Dropbox accounts for convenience. These habits may feel harmless, but they erode the boundary between corporate and personal environments and can expose data.

The human risk playbook
No doubt you have policies for most or all of these eventualities, backed up with technical controls or paper processes. Whether you have a control in place or rely on a process, your human risk process can do four important things:

1. Monitor how well your policies are being followed, and gain visibility into the cohorts of people who aren’t following them;
2. Nudge or brief those who need a reminder of what your policies are, and how to adhere to them;
3. Prompt people to adopt the proper tools (e.g., MDM, MFA, etc.) to ensure policies are followed through technical controls;
4. When technical controls aren’t available, prompt people to adhere to policies through high-quality, targeted interventions.   

Use data to your advantage

Your human risk playbook should involve gathering and synthesizing telemetry from your identity and access, workspace, HR, and security stack to understand behaviors and automatically create cohorts of employees whose devices are out of policy or who exhibit risky BYOD behavior. 

Deploy hyper-targeted, precise interventions

From there, create targeted, policy-aligned, AI-generated interventions, such as a 30-word nudge in Slack or a 60-second personalized briefing video. The intervention should target only the people who need to take action, explain why, and offer a precise call-to-action. That could mean instructing people with out-of-date OS versions to update immediately, prompting those accessing sensitive corporate applications over unsecured Wi-Fi to use an approved VPN, or directing employees who are saving sensitive data to personal cloud storage to use the approved corporate-sanctioned cloud storage. By narrowing the scope and tailoring your calls-to-action, you not only reduce noise and fatigue but also maximize the likelihood that people will follow your BYOD policy.

Enterprises are adopting generative AI in a big way. People are using tools like ChatGPT, Gemini, and Claude to speed up coding, polish marketing copy, summarize contracts, and brainstorm ideas. The productivity upside is real, but so are the risks—exposed customer data, source code, intellectual property, non-public financials, protected health information, and more can end up in places you never intended. Unlike traditional cyber threats, these exposures don’t come from an external attacker; they come from everyday employees moving too fast, and maybe not realizing the consequences.

The only way to deal with this risk is to see it clearly. A human behavior data lakehouse like ours ingests signals from your workspace and security stack, normalizes them, and identifies patterns. While your security team may be able to surface some issues from individual tools, they won’t have an easy way to see the behavior across the board, and more importantly, won’t be empowered to intervene—making employees aware and suggesting alternative ways to get their jobs done—while also protecting your sensitive data.

Here are a few examples of what we see in the Fable platform:

IAM (Okta, Azure AD) → who’s adopting and provisioning access to AI

EDR (CrowdStrike, SentinelOne) → endpoint activity such as copy-paste

DLP (Microsoft Purview, Netskope) → sensitive data categorizations

SASE (Netskope, Zscaler) → sensitive data uploads to AI

To name a few.

Beyond simply telling you who’s doing what, a human behavior data lakehouse can connect more dots to give you context, such as people’s role, access, and behavior history, so you know where your risk is most acute and where to concentrate your interventions. 

Once you’ve identified the most problematic data-sharing behaviors in your enterprise, you’ll want to take action in the moment using an automated, AI-generated intervention. That may be a quick-and-dirty nudge in Slack or Teams, or a personalized 60-ish-second video briefing referencing the person, their precise behavior, your company’s policy, whatever sanctioned applications you want to guide them to, and any specific calls-to-action you want to make.

Here’s an example of what such an intervention might look like—a free video you can download and use in your company. It’ll give you a taste of our short-and-sweet, highly-effective, AI-generated content. As part of the Fable platform, it would be personalized, targeted, and sent just in time.

When we set out to build the Fable human behavior data lakehouse, we weren’t just thinking about storing information. We were thinking about unlocking entirely new capabilities—ones that legacy systems simply can’t handle.

Here are seven human risk use cases that are only possible with a flexible lakehouse architecture, so data can be available in a variety of formats, including enriched, contextual, and intelligent.

Why human risk data needs a data lakehouse

In modern human risk management, delivering the right insights and recommendations requires assembling the right data and making it available to the right decision-makers, right away. Many platforms limit what data can be captured or constrain it as it’s being captured, making it hard for security practitioners to do high-value work like build personalized risk profiles, view behavioral timelines, detect changes over time, and correlate cross-platform signals down to the individual employee.

As we were building Fable, we knew we needed to integrate thousands of data points from hundreds of sources, and then transform that data into something accurate and meaningful for our customers, while also preserving the captured data in its original format. We modeled our data lakehouse architecture after the Medallion Data Foundation, an industry standard in modern data engineering.