SELF-ASSESSMENT / 12 QUESTIONS / 5 MINUTES

Where does your human risk programme actually stand?

According to Gartner, 72% of organizations are at Level 1, running phishing simulations and ticking compliance boxes.

This assessment shows where you really are across the four levels of the Human Risk Management (HRM) Maturity Model, and what it would take to level up.

Start here

The HRM Maturity Model in brief

From the paper

This section is adapted from The End of Security Awareness As We Know It, OutThink's founding point of view on human risk. Written by founder and CEO Flavius Plesu and grounded in more than 100 enterprise deployments and over 10 billion behavioural data points, it is the thesis the OutThink platform is built on: the argument for why security awareness training has reached the end of the road, and what replaces it.

For twenty years the industry measured security awareness by activity: training completed, phishing click rates trending down, reporting rates trending up. Those metrics moved organizations from nothing to structured programmes, but they answer the wrong question. Boards no longer want proof that a programme exists. They want to know whether human behaviour is actually changing, and whether that change is reducing real exposure to AI-powered attacks.

The Human Risk Management (HRM) Maturity Model below maps that journey in four levels, from Reactive to Predictive. Each level is a fundamentally different operating model, with its own platform, data and process requirements. The model is sequential: each level builds the foundation the next one depends on. In practice, most organizations operate at one level while already building toward the next.

Time / investment →Human-risk maturity →L1ReactiveL2Self-AdaptingL3ProactiveL4Predictive
L1
Reactive
Meet compliance requirements. Training completion. Phishing simulations.

L1 programs are compliance-driven. They exist because regulators, auditors, and security standards require evidence that employees receive security training. And they satisfy that requirement. The compliance box is ticked. The dashboards look reassuring. The auditors are happy.

Generic trainingCompletion dashboardsGamified phishingCompliance-driven

Click a level to explore it

How this assessment works

Twelve questions, each answer mapped to a maturity level from 1 (Reactive) to 4 (Predictive). We take the mean to place you on the model, then score five dimensions of a mature programme separately to surface your three biggest blind spots. Two questions act as gates: you cannot credibly rank above Level 2 unless your programme is integrated with your security stack and your risk score is built on real behavioural data.

At the end we will ask for your email, then show your level, your score across every dimension, your three biggest blind spots, and tailored next steps drawn straight from The End of Security Awareness As We Know It. You can read the full piece any time.

Read the full piece, “The End of Security Awareness As We Know It” →

0 / 12 answeredQuestion 1 of 12
THE ASSESSMENT
Twelve questions
Each answer maps to a maturity level, from 1 (Reactive) to 4 (Predictive). Answer for how things really run today - the value is in the gaps it surfaces.
Q.01
What do you primarily report as proof your programme is working?
Q.02
How is training targeted?
Q.03
Which security behaviours do you actually train and test?
Q.04
How do you measure engagement?
Q.05
Can you train and reach your whole workforce - including people without a corporate email address?
Q.06
Is your awareness programme connected to your security stack?
Gate question: a credible Level 3 or above is not possible without this - it is the data that feeds a real human risk score.
Q.07
Could you answer, right now: “which 50 people are most at risk today, and why?”
Q.08
What is your human-risk score actually built from?
Gate question: a credible Level 3 or above is not possible without a score built on real, integrated behavioural data.
Q.09
When someone makes a real mistake, what happens?
Q.10
Do you capture why people behave insecurely - not just the outcome?
Q.11
How does your programme run day to day?
Q.12
If a sophisticated, AI-powered attack hit your most-targeted users tomorrow, how confident are you the programme would protect them?
This is the outcome question. It frames your result rather than scoring a single capability.

When you are ready, see your maturity level, your blind spots and your roadmap to level up.

Answer all 12 questions, then add your email to unlock your results.