Introduction
Human risk is often treated as purely a knowledge gap. We tend to think that if people understand the cyber security risks, they’ll make the right decisions. And whilst there’s some truth to that, it’s rarely that straightforward.
Most people already have a sense of what they should be doing. Your staff will likely know to be cautious with emails, to protect passwords and not use ‘password1’ for example. The difficulty is applying that theory into the real world environment that they’re working in. When time is limited and priorities are competing, that theoretical cyber security knowledge can be difficult to implement, and human risk starts to take shape.
The short answer is…
Human risk isn’t primarily caused by a lack of awareness, but by how people make decisions under pressure. Effective training focuses on real-world scenarios and supports better decision-making within the context of how work actually happens, rather than relying on one-off awareness sessions.
Where risk comes from
Security decisions don’t happen in isolation; they sit alongside everything else someone is trying to do.
Deadlines, interruptions and workload all influence how choices are made. In the moment, most decisions are driven by what feels practical. That might include responding quickly to an email, sharing access to keep a project moving, or ‘improvising’ because a process is unclear and there isn’t time to clarify.
These decisions make sense in context but prioritise progressing the work. The challenge is that the quickest or easiest options don’t always align with the most secure ones. And it’s in that gap between what makes sense operationally to get the work done and what’s safest, that risk is introduced.
The role of culture and environment
This risk gap is often shaped by the culture of an organisation and the environment people work within.
For example, if speed is consistently prioritised, people learn to move quickly, even if it means sacrificing the correct process. If reporting something that doesn’t look right feels uncomfortable or isn’t taken seriously, your team are much less likely to raise concerns in the future.
These signals don’t need to be explicit. They build through expectations and behaviours, and what gets rewarded versus what gets overlooked. Over time these practices help establish your company culture and influence how decisions are made across the business.
That’s why human risk isn’t just an individual issue; it reflects how an organisation operates as a whole.
Why traditional training doesn’t always land
Most cyber security training is built purely around awareness. It focusses on what people need to look out for and how to respond. In theory, that should be enough. But in practice, it doesn’t work.
Traditional training is typically delivered annually. It’s generic and it doesn’t always reflect your business needs or the reality of someone’s specific role or workload. As a result, it feels disconnected from day-to-day business activity and becomes a box ticking exercise.
Importantly, traditional training rarely addresses the conditions that influence decision-making. Knowing what you’re supposed to do is one thing but applying that knowledge when under pressure is another. So, for many businesses, despite the training, the gap where risk flourishes still remains.
What effective human risk training looks like
If human risk is shaped by decision-making, then training needs to reflect that.
A one-off session focussed on reviewing rules or policies is unlikely to change behaviour. What tends to work much better is something more continuous and contextual. This looks like training that uses realistic scenarios that reflect the kind of decisions your people actually face every day. Training like this reinforces good judgement over time rather than relying on a single moment of learning.
More broadly though, effective human risk training requires a shift in how human risk is viewed within your business. Rather than treating it as something to correct, it becomes something to understand. It’s intrinsically linked to how people work, how systems are used, and how expectations are set across the business. Once we understand that, human risk training is less about trying to fill a knowledge gap and more about supporting your team to make better decisions through a combination of awareness, environment and experience.
The aim of training isn’t perfect behaviour. It’s to help people make better decisions more consistently, to shrink that gap where risk thrives.
Conclusion
Human risk doesn’t sit separately from the rest of your business; it’s part of how work gets done. The decisions your people make are shaped by time, pressure, systems and expectations. Training plays an important role, but it’s most effective when it reflects that reality and focusses on effective decision-making. When businesses take that broader view, it becomes easier to understand where risk is introduced and how it can be reduced in a way that fits naturally with day-to-day operations.
That’s the approach we take at Novem. Through effective cyber security raining and services like Virtual Penetration Testing, we help organisations look at how risk appears in practice. Combining behavioural insight with technical expertise allows us to support businesses in building environments where better decisions are easier to make.
FAQs
What is human risk in cyber security?
Human risk refers to how people’s actions and decisions can expose a business to cyber threats. It’s shaped by how people work, not just what they know.
Is human risk just about employees making mistakes?
Not usually. Most decisions are made in context, where people are balancing time, pressure, and priorities. What looks like a mistake is often a practical decision in the moment.
Why isn’t traditional cyber security training always effective?
Because it often focuses on awareness in isolation. It doesn’t always reflect the environment people work in or the pressures that influence their decisions.
Does improving human risk mean changing company culture?
In many cases, yes. Culture influences how decisions are made, especially around speed, reporting issues, and how security is perceived within the business.
Can human risk ever be completely removed?
No. It’s unrealistic to aim to eliminate it completely. Instead, we want to reduce it by helping people make better decisions more consistently and creating an environment that supports them.