Self-Assessment / 12 Questions / 5 Minutes

Where does your human risk programme actually stand?

According to Gartner, 72% of organisations are at Level 1, running phishing simulations and ticking compliance boxes. This assessment shows where you really are across the four levels of the Human Risk Management (HRM) Maturity Model, and what it would take to level up.

72%
of organisations are at HRM Level 1 today (Gartner)
70-80%
of breaches still involve the human element
4
distinct maturity levels, Reactive to Predictive
Start here

The HRM Maturity Model in brief

From the paper

This section is adapted from The End of Security Awareness As We Know It, OutThink's founding point of view on human risk. Written by founder and CEO Flavius Plesu and grounded in more than 100 enterprise deployments and over 10 billion behavioural data points, it is the thesis the OutThink platform is built on: the argument for why security awareness training has reached the end of the road, and what replaces it.

For twenty years the industry measured security awareness by activity: training completed, phishing click rates trending down, reporting rates trending up. Those metrics moved organisations from nothing to structured programmes, but they answer the wrong question. Boards no longer want proof that a programme exists. They want to know whether human behaviour is actually changing, and whether that change is reducing real exposure to AI-powered attacks.

The Human Risk Management (HRM) Maturity Model below maps that journey in four levels, from Reactive to Predictive. Each level is a fundamentally different operating model, with its own platform, data and process requirements. The model is sequential: each level builds the foundation the next one depends on. In practice, most organisations operate at one level while already building toward the next.

The HRM Maturity Journey: four ascending levels from Reactive to Predictive, with the Bridge marking the climb from Level 1 to Level 2.
The HRM Maturity Journey, from OutThink's “The End of Security Awareness As We Know It”. Maturity rises left to right, and the climb from Level 1 to Level 2 is the Bridge.

The four levels at a glance

L1Reactive
Compliance driven. Generic training and phishing simulations. The box gets ticked, but human risk is not measurably reduced. Gartner puts 72% of organisations here.
L2Adaptive
Real behaviour change begins. The four critical jobs (Motivate, Educate, Activate, Correct) run continuously and autonomously across the whole workforce.
L3Proactive
Human risk becomes quantified, visible and actionable. Risk scores are built on real behavioural data and feed decisions in the SOC, GRC and access reviews.
L4Predictive
The platform runs on auto-pilot. Risk drives conditional access automatically, users self-remediate, and the same governance extends to AI agents. Fewer than 0.1% of organisations are here.

Why Level 2 is the crux

Level 2 is where most of the value is unlocked, and where the model is strictest. It rests on four critical jobs, identified across more than 100 enterprise deployments. They are a system, not a menu.

01Motivate
Give every person a reason to care, based on what actually drives them.
02Educate
Deliver training adapted to each user's role, industry and real behaviour.
03Activate
Give people realistic practice across every behaviour that matters, not just phishing.
04Correct
Intervene at the moment of risk, when the mistake happens, not months later.
All four, together. A programme that runs two of the four is not half as effective. It is a broken system, because the missing pieces undermine the ones that work. Doing one or two of them while the rest happen by hand still counts as Level 1.

Level 3 and Level 4 build on top

From Level 2 onward the model is a ramp rather than a wall. Level 3 (quantify human risk) and Level 4 (automate controls and govern AI agents) sit on top of a working Level 2, so you can be operating at Level 2 while already piloting parts of Level 3 or Level 4. That is the intended path, not a contradiction. This assessment gives you an overall level from your answers, then shows your strength in each capability, so you can see where you are already reaching ahead.

How this assessment works

Twelve questions cover the six capabilities the model is built on: the four jobs of Level 2 (Motivate, Educate, Activate, Correct), plus the risk quantification of Level 3 and the automation of Level 4. Each answer maps to one of the four maturity levels.

At the end you will see your level, your score across every capability, and tailored next steps drawn straight from The End of Security Awareness As We Know It. You can read the full piece any time.

Read the full piece, “The End of Security Awareness As We Know It” →

0 / 12 answeredSection 1 of 6
PART 01 / 06
Motivate
Give every person a reason to care. Before you can change behaviour, you have to understand what makes each individual care about security.
Q.01
How well do you understand what motivates each individual to care about security?
Personal relevance, professional identity, learned helplessness, champions. Do you know who is who?
Q.02
Is security behaviour connected to something that genuinely matters in your business?
A defensible, holistic score of each person's security competence that they can see and improve, and that HR can act on.
PART 02 / 06
Educate
Deliver training uniquely adapted to each user. Generic training produces generic results. Adaptive training is grounded in your policies, your industry and your reality.
Q.03
How closely does your training reflect your own organisation's policies, industry and threat reality?
Not generic content. Your policies, your environment, your regulations, your strategy.
Q.04
How do you measure whether training is actually working?
Completion is activity, not outcome. Who genuinely engaged, who clicked through, and who never started are three different things.
PART 03 / 06
Activate
Give people practice beyond phishing. Knowledge without practice does not change behaviour, and phishing is one behaviour out of dozens.
Q.05
Which security behaviours do you give your people practice on?
Phishing, vishing, smishing, deepfakes, data handling, secure browsing, endpoint, social media, physical and clean desk.
Q.06
Does your practice adapt to each user, and can it convincingly simulate AI-powered threats?
Pass-or-fail modules versus branching, immersive practice scenarios (sometimes called cyber ranges). Deepfake CEO voice notes, AI-generated Teams messages.
PART 04 / 06
Correct
Intervene at the moment of risk. A correction delivered three months later in a quarterly module is not a correction.
Q.07
When someone makes a security mistake, when do they hear about it?
The closer the correction is to the moment of the mistake, the more it sticks.
Q.08
Is your programme connected to the rest of your security stack?
EDR, DLP, web filter, SIEM, IAM. Real-time correction needs live behavioural feeds.
PART 05 / 06
Quantify
Defensible human risk intelligence. Every vendor claims a risk score. The question is what data feeds it, and whether anyone outside the awareness team will act on it.
Q.09
What feeds your human risk scores?
Simulation results alone is a closed loop. Real risk needs real signals.
Q.10
Does your human risk intelligence drive prioritised action beyond the awareness team?
Prioritised recommendations across people, process and technology, used by the SOC, GRC and IAM.
PART 06 / 06
Automate
Risk-driven controls and AI agent governance. Human risk intelligence drives access at machine speed, users self-remediate, and the same discipline extends to AI agents.
Q.11
Does human risk automatically influence access and security controls?
Conditional access, MFA enforcement, device compliance, and user self-remediation when risk crosses a threshold.
Q.12
Are the AI agents in your environment governed with the same behavioural rigour as people?
Gartner estimates 40% of enterprise applications will integrate AI agents by the end of 2027, each acting on behalf of a human.

When you are ready, see your maturity level and your roadmap to level up.