It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management

It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management

Jun 27

Thea Mannix
Thea MannixThea Mannix is a behavioral neuroscientist with over 10 years of experience in studying how the biology of our brains can influence our behavior. Thea now works on applying her experience to cybersecurity scenarios surrounding the human element, and is a specialist in human data handling and interpretation in human risk management.
View Profile

I’m often asked, ‘What’s the difference between human risk management and traditional security awareness? Isn’t it just the same thing in different clothes?’ It’s a fair question.

My response? Human risk management is the industry finally letting go of the falling rock.

That rock is the illusion of perfection - the belief that with enough control, clean metrics, and precision, we could master the chaos of human behavior. We held on tightly to our 0% phishing click rate goals, or a single “risk score” for the entire workforce, thinking it will steady us. We demand dashboards with normalized data and KPIs. We desperately want to feelin control.

But when it comes to people, that mindset holds us back.

Perfect metrics are not just unrealistic,they’re misleading. Boiling complex human behavior down to a single number might look clinical, but it hides what really matters: patterns, context, change over time, and resilience. The pursuit of ‘perfect’ numbers can actually distract us from progress. Clinging to that illusion of control doesn’t make things worse per se, but it doesn’t change the fact that we’re still falling. Complexity, unpredictability, and messy human data are part of the terrain. The question isn’t whether we can stop the fall, it’s whether we can learn to navigate it.

Letting go doesn’t mean giving up on measurement or structure. It means trading a false sense of control for meaningful, adaptable insight. Because in cybersecurity human risk management, control doesn’t come from precision but from adaptability.

And to me, that’s the heart of it: human risk management is letting go of the rock.

The Fallacy of Perfect Measurements

When the U.S. Air Force was designing cockpits to fit the ‘average’ pilot across 10 body measurements in the 1950s, it ironically found that not a single pilot actually fit all 10 averages. As a result, the one-size-fits-all cockpit fit no one well and redesigns had to be based on ranges and flexibility instead. The most commonly used and ‘statistically accurate’ measure is the average. But desigining interventions for the average person is often a bad idea because very few people actually sit at the average.

The same applies in cybersecurity training or human risk management interventions: targeting the ‘average user’ risks ignoring those who are most vulnerable or disengaged. For instance, a phishing simulation tailored to a statistically average response time may completely overlook users who are impulsive under pressure or those who process information more slowly. Instead of designing for a fictional middle, we must design with variance and adaptability in mind:focusing on behaviors, patterns, and edge cases that matter.

Unlike technical systems, human behavior doesn’t follow fixed rules. It varies with mood, workload, environment, and a dozen other unseen factors. Yet we often try to impose the same measurement expectations we use for machines onto people.

The Murkiness of Behavioral Metrics

Human-related data is often imprecise, scattered across systems, and shaped by context: think engagement rates, sentiment analysis, security culture surveys, or behavioral logs from phishing simulations. None of these offer a perfect picture on their own, but together they form a narrative. For example, if phishing simulations show that a certain team clicks more frequently in the late afternoon, that's a useful insight, even if it's not statistically perfect. It gives you a basis to start a conversation, target training, or investigate root causes.

The goal isn’t perfect measurement, it’s progress. Directionally useful insights help us ask better questions, focus our efforts, and improve outcomes. It’s not the number itself that matters, but what it tells you - and that often requires context. Being data-driven is good. Being information-driven is better. Behavioral improvement starts with action. Waiting for flawless metrics only delays meaningful progress.

Human Risk Management Is About Resilience, Not Elimination

No amount of training or tooling will reduce human error to zero.

But that's not the goal, nor should it be.

The real objective is to build resilient behaviors: people who report incidents quickly, recover from mistakes, and feel empowered to act securely. Metrics like redemption (users reporting a phish after clicking) or time-to-detect are signs of strength, not failure.

The shift from prevention to resilience requires a mindset change. That evolution acknowledges that human behavior is inherently variable and builds systems that support people when things go wrong. We need to stop trying to fit people in pre-fabricated boxes and start building boxes around people instead.

The Cost of Chasing Perfection

Trying to develop a ‘perfect’ set of human risk metrics can slow your program down. You can end up over-engineering solutions, missing the chance to iterate, or more commonly in my experience, over-measuring or getting distracted. If you are measuring everything, you aren’t measuring anything. And if you’re measuring only things that can be quantified and normalized, you are almost certainly missing the bigger picture.

Worse, this pursuit can isolate your team. Overly rigid standards can create barriers with stakeholders like HR, legal, or business units. When you accept that measurement will evolve, you're more open to collaboration and shared ownership of human risk.

Which, ultimately, is necessary.

Cybersecurity is everyone’s business. Accepting imperfection will break down silos. When you stop trying to control every variable, you start inviting other departments into the conversation. HR might not have your level of security knowledge, but they understand employee sentiment and engagement. Training teams know what resonates with learners.

Bringing these perspectives in helps shape a more accurate and actionable picture of cybersecurity human risk.

Iteration Over Perfection

Cybersecurity human risk management isn’t about eliminating risk, it’s about understanding, influencing, and improving how people behave in complex, high-stakes environments. It should be agile. Start with the data you have, define working models, and iterate as you learn. Your metrics need to be consistent, explainable, and relevant to your context. With time, you can refine them, validate them, and build a stronger foundation for decision-making.

By making peace with imperfection, we’re not lowering the bar but aligning it with reality. And in my opinion, that’s truly the core of human risk management. When we let go of the need for perfect measurement, of the desire for 0% risk, of generalized training based on the non-existent “average”, we open the door to real progress, faster iteration, and better collaboration.

Human behavior will never be as tidy as a server log. But it's just as measurable and extremely influential. Start where you are, use what you have, and build from there. The path to stronger security lies in progression, not perfection.

Share

Build Effective and Sustainable Security With OutThink

Related Articles
It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management
Thea Mannix
27/06/2025

It’s Time to Make Peace With Imperfection in Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Why I Refused to Say “People Are the Weakest Link in Cyber”
Jane Frankland
26/06/2025

Why I Refused to Say “People Are the Weakest Link in Cyber”

Read More about AI-Native Cybersecurity Human Risk Management
The Human Risk Behind Scareware Attacks
Olivia Debroy
13/06/2025

The Human Risk Behind Scareware Attacks

Read More about AI-Native Cybersecurity Human Risk Management
Why Whaling Attacks Are the Caviar of Cybercrime
Olivia Debroy
10/06/2025

Why Whaling Attacks Are the Caviar of Cybercrime

Read More about AI-Native Cybersecurity Human Risk Management
Biometrics Are Here: Are We Ready for the Human Risks?
Olivia Debroy
06/06/2025

Biometrics Are Here: Are We Ready for the Human Risks?

Read More about AI-Native Cybersecurity Human Risk Management
I’m a Human Risk Manager (I Think?)
John Scott
03/06/2025

I’m a Human Risk Manager (I Think?)

Read More about AI-Native Cybersecurity Human Risk Management
How Microsoft’s ‘Passwordless by Default’ Might Save Security
Olivia Debroy
28/05/2025

How Microsoft’s ‘Passwordless by Default’ Might Save Security

Read More about AI-Native Cybersecurity Human Risk Management
The Cyber Risk Within: Insider Threats
Olivia Debroy
26/05/2025

The Cyber Risk Within: Insider Threats

Read More about AI-Native Cybersecurity Human Risk Management
What Is ‘Human Risk’ in Cyber?
Olivia Debroy
22/05/2025

What Is ‘Human Risk’ in Cyber?

Read More about AI-Native Cybersecurity Human Risk Management
What if Agentic AI Could Stop Human Risks Before They Happen?
Olivia Debroy
19/05/2025

What if Agentic AI Could Stop Human Risks Before They Happen?

Read More about AI-Native Cybersecurity Human Risk Management
How to Run a Cybersecurity Awareness Training Program in Academia
Ravi Miranda
15/05/2025

How to Run a Cybersecurity Awareness Training Program in Academia

Read More about AI-Native Cybersecurity Human Risk Management
Phishing in 2025: Cybercriminals Are Smarter Than You Know
Olivia Debroy
14/05/2025

Phishing in 2025: Cybercriminals Are Smarter Than You Know

Read More about AI-Native Cybersecurity Human Risk Management
Why Cybersecurity Human Risk Management Benefits CISOs
Gry Evita Sivertsen
29/04/2025

Why Cybersecurity Human Risk Management Benefits CISOs

Read More about AI-Native Cybersecurity Human Risk Management
The Strategic Role of Adaptive Security Awareness Training Content
Roberto Ishmael Pennino
21/04/2025

The Strategic Role of Adaptive Security Awareness Training Content

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity's Comfort Zone Problem
Jane Frankland
15/04/2025

Cybersecurity's Comfort Zone Problem

Read More about AI-Native Cybersecurity Human Risk Management
Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training
Roberto Ishmael Pennino
11/04/2025

Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
AI Phishing: The Rising Threat of Intelligent Cyber Deception
Roberto Ishmael Pennino
02/04/2025

AI Phishing: The Rising Threat of Intelligent Cyber Deception

Read More about AI-Native Cybersecurity Human Risk Management
What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws
Jane Frankland
01/04/2025

What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws

Read More about AI-Native Cybersecurity Human Risk Management
Smishing: The Phishing Attack That Lives in Your Pocket
Roberto Ishmael Pennino
24/03/2025

Smishing: The Phishing Attack That Lives in Your Pocket

Read More about AI-Native Cybersecurity Human Risk Management
How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science
Rory Attwood
11/03/2025

How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science

Read More about AI-Native Cybersecurity Human Risk Management
Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection
Roberto Ishmael Pennino
10/03/2025

Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection

Read More about AI-Native Cybersecurity Human Risk Management
Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore
Roberto Ishmael Pennino
10/03/2025

Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore

Read More about AI-Native Cybersecurity Human Risk Management
PIPEDA Compliance: Why PIPEDA Training is Important
Roberto Ishmael Pennino
21/02/2025

PIPEDA Compliance: Why PIPEDA Training is Important

Read More about AI-Native Cybersecurity Human Risk Management
CCPA Training: Building a Culture of Privacy and Compliance
Roberto Ishmael Pennino
10/02/2025

CCPA Training: Building a Culture of Privacy and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws
Roberto Ishmael Pennino
31/01/2025

Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws

Read More about AI-Native Cybersecurity Human Risk Management
TISAX Training: Strengthening Automotive Information Security and Compliance
Roberto Ishmael Pennino
27/01/2025

TISAX Training: Strengthening Automotive Information Security and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
GDPR Training: Building a Culture of Compliance
Roberto Ishmael Pennino
20/01/2025

GDPR Training: Building a Culture of Compliance

Read More about AI-Native Cybersecurity Human Risk Management
What Is DORA? DORA Training for Compliance
Dr. Charlotte Jupp
20/01/2025

What Is DORA? DORA Training for Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Risk Quantification for Cybersecurity Human Risk Management
Lev Lesokhin
13/12/2024

Risk Quantification for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive SAT: The Future Is Now
Roberto Ishmael Pennino
12/11/2024

Adaptive SAT: The Future Is Now

Read More about AI-Native Cybersecurity Human Risk Management
NIST Recommends New Guidelines for Password Security
Roberto Ishmael Pennino
11/11/2024

NIST Recommends New Guidelines for Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Empowering Organizations with Adaptive Security Awareness Training
Roberto Ishmael Pennino
07/11/2024

Empowering Organizations with Adaptive Security Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
Why Humans Should Be the New Frontline in Cyber Defense
Roberto Ishmael Pennino
06/11/2024

Why Humans Should Be the New Frontline in Cyber Defense

Read More about AI-Native Cybersecurity Human Risk Management
Behavioral Analytics Are Changing Cybersecurity
Roberto Ishmael Pennino
04/11/2024

Behavioral Analytics Are Changing Cybersecurity

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here
Roberto Ishmael Pennino
01/11/2024

Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Training for Remote Workforces
Roberto Ishmael Pennino
25/10/2024

Cybersecurity Awareness Training for Remote Workforces

Read More about AI-Native Cybersecurity Human Risk Management
Would You Skip an Update if You Knew What It Could Cost You?
Roberto Ishmael Pennino
24/10/2024

Would You Skip an Update if You Knew What It Could Cost You?

Read More about AI-Native Cybersecurity Human Risk Management
Why Every Cyber Strategy Fails Without This Element
Roberto Ishmael Pennino
22/10/2024

Why Every Cyber Strategy Fails Without This Element

Read More about AI-Native Cybersecurity Human Risk Management
Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today
Roberto Ishmael Pennino
21/10/2024

Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today

Read More about AI-Native Cybersecurity Human Risk Management
Is Your Cybersecurity Working From Home Too?
Roberto Ishmael Pennino
18/10/2024

Is Your Cybersecurity Working From Home Too?

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management Gets Adaptive
Lev Lesokhin
08/10/2024

Human Risk Management Gets Adaptive

Read More about AI-Native Cybersecurity Human Risk Management
Your Cybersecurity Is Only as Strong as Your People
Roberto Ishmael Pennino
08/10/2024

Your Cybersecurity Is Only as Strong as Your People

Read More about AI-Native Cybersecurity Human Risk Management
The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024
Roberto Ishmael Pennino
07/10/2024

The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024

Read More about AI-Native Cybersecurity Human Risk Management
How Ready Is Your Workforce for a Real Phishing Attack?
Roberto Ishmael Pennino
01/10/2024

How Ready Is Your Workforce for a Real Phishing Attack?

Read More about AI-Native Cybersecurity Human Risk Management
What is Cybersecurity Human Risk Management? What You Need to Know
Lev Lesokhin
23/09/2024

What is Cybersecurity Human Risk Management? What You Need to Know

Read More about AI-Native Cybersecurity Human Risk Management
Engagement Strategies for Cybersecurity Human Risk Management
Lev Lesokhin
16/08/2024

Engagement Strategies for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Enhance Your Phishing Training With Outthink
Lavinia Manocha
02/08/2024

Enhance Your Phishing Training With Outthink

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training for Frontline Workers
Lavinia Manocha
26/07/2024

Adaptive Security Awareness Training for Frontline Workers

Read More about AI-Native Cybersecurity Human Risk Management
The Role of Security Awareness Training After IT Outages
Lev Lesokhin
26/07/2024

The Role of Security Awareness Training After IT Outages

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management's Eight Dimensions of Secure Behavior Segmentation
Lev Lesokhin
25/07/2024

Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Read More about AI-Native Cybersecurity Human Risk Management
State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business
Lev Lesokhin
18/07/2024

State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training: Unlearning and Relearning Routines
Lev Lesokhin
10/07/2024

Adaptive Security Awareness Training: Unlearning and Relearning Routines

Read More about AI-Native Cybersecurity Human Risk Management
Did You Think Your Password Was Secure? Let’s Talk Password Security
Lev Lesokhin
24/05/2024

Did You Think Your Password Was Secure? Let’s Talk Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework
Lev Lesokhin
23/05/2024

Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework

Read More about AI-Native Cybersecurity Human Risk Management
Password Security: Why the UK is Banning Generic Passwords
Lev Lesokhin
17/05/2024

Password Security: Why the UK is Banning Generic Passwords

Read More about AI-Native Cybersecurity Human Risk Management
Instagram Security Awareness Training: A Step-by-Step Guide
Lev Lesokhin
10/05/2024

Instagram Security Awareness Training: A Step-by-Step Guide

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Human Risk Management Forum Kicks Off in London
Lev Lesokhin
18/04/2024

Cybersecurity Human Risk Management Forum Kicks Off in London

Read More about AI-Native Cybersecurity Human Risk Management
Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step
Rory Attwood
31/01/2024

Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step

Read More about AI-Native Cybersecurity Human Risk Management