Why Leadership Still Misunderstands Human Risk

Despite years of breaches, warnings, and increasingly sophisticated attacks, many leaders continue to misunderstand one of the most exploited elements in cybersecurity: human behavior.

The problem isn’t that human risk can’t be managed, it’s that most organizations are still looking at it through the wrong lens.

Here are the top reasons human risk continues to be misunderstood.

1. The Persistent Myth of the “Human is Weakest Link”

When an employee causes an incident, from falling victim to a vishing attack to accidentally sharing sensitive data in the cloud, far too often leaders perceive this as “the human is the weakest link.” However, people are not the problem but, the environments we create are.

Security policies, tools, and expectations have become incredibly confusing, difficult and overwhelming for people. Yes, security is simple for most security professionals, but we live and breathe security daily.

People want to do the right thing, it’s just that we have done a terrible job of communicating security in simple terms and making security as easy as possible. This is why people are not the weakest link; they are the primary attack vector. When people do cause an incident, instead of blaming them, we should be looking at the environment we have created and ask ourselves what we can do differently.

2. Quantitative vs. Qualitative

Most leaders (and security teams) are comfortable funding a variety of technical solutions, from controls such as EDR and IAM platforms to vulnerability management and AI-driven detection. These controls feel concrete, measurable, and controllable. Human risk and people do not.

The concepts of behavior and culture can feel vague or “squishy,” something that cannot be measured or managed, and as such, continues to be ignored. Attackers, meanwhile, have moved on. They no longer focus on technical vulnerabilities but exploit trust, urgency, and authority.

What leaders and security teams misunderstand is you absolutely can take a quantitative approach to human behavior and culture. There are decades of proven research, scientific studies, and models that enable any security team to take a very structured approach to how they manage and measure their human risk.

Human risk feels intangible only when it’s unmanaged. With the right model, it becomes measurable and actionable.

3. Leaders Are Looking at the Wrong Thing: Compliance

Far too often, leaders look at the wrong metrics and draw the wrong conclusions. They believe they have a mature security awareness and behavior program, with dashboards full of reassuring numbers such as:

• 96% training completion
• The number of newsletters, podcasts, and webcasts they hosted this year
• 94% signed Acceptable Use Policies

In reality, these metrics are designed to satisfy auditors, not reduce risk. A mature program goes far beyond just training numbers. IT focuses on key human risks, the behaviors that manage those risks, continuous engagement throughout the year, and a culture that builds trust.

4. Mandating Security

Far too often leaders and security teams believe that they can mandate secure behaviors. Enforcing policies and expectations will address human risk and drive behavior change, but taking such a punitive approach destroys culture in the long term.

As a result;

• Employees stop reporting incidents for fear of reprisals or blame
• Developers avoid the security team because security is a blocker
• Security teams are perceived as egotistical or arrogant
• Security policies are perceived as confusing or overwhelming and often bypassed

Mandating behavior creates a toxic environment where people do only what is required and nothing more. Over time, vulnerabilities, broken policies, and security issues become embedded across the organization, while the security team loses visibility as problems are actively avoided or bypassed.

Better Questions Leaders Should Be Asking

Organizations serious about managing cyber human risk should shift leadership conversations from blame to design. Leaders should be asking:

• Who is responsible for managing our human risk and who do they report to?
• What is our strategy for engaging our workforce and driving positive change?
• Which roles are most targeted—and why?
• How do managers respond when someone reports a mistake?
• What are our top human risks, and which behaviors mitigate those risks?
• What are we doing to make security simpler for our workforce?
• What are we doing to make the security team more approachable, collaborative, and enabling?

These are not abstract questions. They determine whether an organization treats human risk as a liability or a capability.

These questions reveal far more about reducing human risk than another tool purchase ever will. Managing human risk must be a key part of any security team’s strategy. Until we address the human issue, people will continue to be the primary attack vector.

For leaders looking to move from intention to action, the SANS Security Awareness & Culture Maturity Model™ provides a practical framework for assessing where an organization stands today and defining the next steps toward measurable, sustainable reduction of human risk.