Cimento is headed to Black Hat USA — catch us in Vegas, Aug 1–6

Black Hat USA 2026 · Aug 1–6

Book a Meeting →

Book a Meeting →

Home / Topics / Measuring Human Cyber Risk

Measurement Guide

How to measure human cyber risk.

You can’t reduce what you can’t measure — and a click rate samples one behavior on one channel.

You can’t reduce what you can’t measure — and a click rate samples one behavior on one channel.

You can’t reduce what you can’t measure — and a click rate samples one behavior on one channel.

Human risk is measurable with the same discipline you apply to vulnerabilities: likelihood, impact, and trend. This page lays out the model — exposure, behavior, resilience — and what it takes to compute it.

The Problem

Activity metrics posing as risk metrics.

01

Completion rate

Measures whether training was assigned and finished. Says nothing about whether anyone is harder to deceive.

02

Click rate

One behavior, one channel, heavily influenced by template familiarity and test timing. Useful as an input; meaningless as a risk score.

03

The averaging trap

Org-wide averages hide the tail that matters. Five high-access employees with poor instincts are a bigger risk than five hundred average ones.

The Model

Risk = exposure × behavior × resilience.

Input 1

Exposure

What can this person access, approve, or move? Wire authority, production credentials, customer data, a public profile attackers can research. Pulled from HRIS and identity systems — this is the impact term.

Input 2

Behavior

How this person responds to realistic, multi-channel social engineering, measured by continuous simulation over time. This is the likelihood term.

Input 3

Resilience

When something suspicious lands, does it get reported? How fast? Reporting speed is the difference between one compromised inbox and a company-wide incident.

Score each input per person, weight by role, aggregate by team and channel — and you have a risk index that can go on a board slide and be held to a trend.

Score each input per person, weight by role, aggregate by team and channel — and you have a risk index that can go on a board slide and be held to a trend.

Cimento's Approach

The model, automated.

Cimento computes exposure from your HRIS and identity data, behavior from continuous multi-channel simulation, and resilience from reporting telemetry — then keeps the index current as people, roles, and attacks change.

Risk Index · Illustration

Q3

Exposure · finance cohort

74

Behavior · multi-channel fail rate

28

Resilience · median time-to-report

41

Three inputs, one index, tracked quarterly — per role and per channel.

FAQ

What makes a human risk metric “board-ready”?

How long before we have a trustworthy trend line?

Can we build this model with our existing SAT data?

Turn human risk into a number.

Exposure, behavior, and resilience — measured on your own organization in 14 days.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.