Where does your human risk programme actually stand?
According to Gartner, 72% of organizations are at Level 1, running phishing simulations and ticking compliance boxes.
This assessment shows where you really are across the four levels of the Human Risk Management (HRM) Maturity Model, and what it would take to level up.
The HRM Maturity Model in brief
This section is adapted from The End of Security Awareness As We Know It, OutThink's founding point of view on human risk. Written by founder and CEO Flavius Plesu and grounded in more than 100 enterprise deployments and over 10 billion behavioural data points, it is the thesis the OutThink platform is built on: the argument for why security awareness training has reached the end of the road, and what replaces it.
For twenty years the industry measured security awareness by activity: training completed, phishing click rates trending down, reporting rates trending up. Those metrics moved organizations from nothing to structured programmes, but they answer the wrong question. Boards no longer want proof that a programme exists. They want to know whether human behaviour is actually changing, and whether that change is reducing real exposure to AI-powered attacks.
The Human Risk Management (HRM) Maturity Model below maps that journey in four levels, from Reactive to Predictive. Each level is a fundamentally different operating model, with its own platform, data and process requirements. The model is sequential: each level builds the foundation the next one depends on. In practice, most organizations operate at one level while already building toward the next.
L1 programs are compliance-driven. They exist because regulators, auditors, and security standards require evidence that employees receive security training. And they satisfy that requirement. The compliance box is ticked. The dashboards look reassuring. The auditors are happy.
Click a level to explore it
How this assessment works
Twelve questions, each answer mapped to a maturity level from 1 (Reactive) to 4 (Predictive). We take the mean to place you on the model, then score five dimensions of a mature programme separately to surface your three biggest blind spots. Two questions act as gates: you cannot credibly rank above Level 2 unless your programme is integrated with your security stack and your risk score is built on real behavioural data.
At the end we will ask for your email, then show your level, your score across every dimension, your three biggest blind spots, and tailored next steps drawn straight from The End of Security Awareness As We Know It. You can read the full piece any time.
Read the full piece, “The End of Security Awareness As We Know It” →
When you are ready, see your maturity level, your blind spots and your roadmap to level up.
Answer all 12 questions, then add your email to unlock your results.