The Emergence of User Adaptive Risk Management

StrategySecurityArchitectureOperations
Written By Franklin Donahoe

This article discusses the emergence of User Adaptive Risk Management (UARM) as an evolution of traditional Security Awareness and Training (SA&T). It highlights how UARM uses AI and User Behavior Analytics to move beyond basic awareness to real-time, individualized risk mitigation. The article also touches on the potential benefits and challenges of UARM, including privacy concerns and the importance of integration with existing security systems, while referencing companies like Dune Security as innovators in the field.

Reshaping Cybersecurity Beyond Traditional Awareness

Executive Summary

Traditional Security Awareness and Training (SA&T), long a cornerstone of cybersecurity programs and a staple of compliance mandates, is facing increasing scrutiny regarding its effectiveness in mitigating the persistent threat of human error—a factor implicated in the vast majority of security breaches. The conventional "one-size-fits-all," compliance-driven approach often fails to translate knowledge into secure behavior, leading to minimal impact on actual risk reduction. This article analyzes the emergence of User Adaptive Risk Management (UARM) as a technologically advanced paradigm shift designed to address these shortcomings.

UARM, often considered an evolution or specific implementation of broader Human Risk Management (HRM) principles, leverages Artificial Intelligence (AI) and User Behavior Analytics (UBA) to move beyond awareness towards real-time, individualized risk mitigation. By continuously monitoring user behavior and contextual factors, UARM platforms quantify individual risk profiles and dynamically adapt security interventions. These interventions range from personalized micro-training and phishing simulations delivered at the point of need to the automated adjustment of security controls via integration with the broader security stack (e.g., IAM, EDR, DLP) for high-risk users.

Innovators like Dune Security are pioneers in this space, offering AI-powered platforms that promise automated risk quantification, user-adaptive training, and seamless control integration. While the potential benefits—including demonstrable risk reduction, optimized resource allocation, and enhanced organizational resilience—are significant, adopting UARM presents considerable challenges. Accurately quantifying nuanced human risk via algorithms remains complex and often lacks transparency. Furthermore, the granular monitoring required raises critical privacy and ethical concerns that must be proactively addressed through robust governance, transparency, and a focus on building employee trust.

As indicated by industry analysts, the future landscape points towards a continued shift away from SA&T towards integrated, outcome-focused HRM and UARM solutions that are deeply embedded within organizational security culture and operations, potentially converging with Zero Trust architectures. Successfully navigating this transition requires a strategic approach that prioritizes measurable risk reduction over mere compliance, critically evaluates technological capabilities, embeds privacy-by-design, plans for deep integration, and fosters a supportive security culture through leadership commitment and effective change management. UARM represents not a technological panacea, but a powerful enabler within a necessary evolution towards more adaptive, human-centric cybersecurity strategies.

I. The Evolution from Security Awareness to Adaptive Risk Management

The cybersecurity landscape is undergoing a significant transformation, particularly in how organizations address the risks associated with human behavior. For decades, Security Awareness and Training (SA&T) has been the primary method for educating employees about cyber threats. However, growing evidence of its limitations in changing behavior and reducing breaches has spurred the development of more dynamic, data-driven approaches. Among these, User Adaptive Risk Management (UARM) represents a cutting-edge evolution, leveraging technology to manage individual user risk in real-time.

A. Defining User Adaptive Risk Management (UARM)

User Adaptive Risk Management (UARM) is an emerging cybersecurity paradigm focused on the continuous assessment and dynamic management of risks associated with individual users within an organization. It moves beyond traditional, static security awareness efforts by employing technology, primarily Artificial Intelligence (AI) and behavioral analytics, to understand and respond to user actions in real-time or near real-time.1 UARM systems quantify an individual's risk posture by analyzing a wide array of data points, including user behavior patterns, contextual information (like location or device posture), learning patterns from training interactions, system access levels, and potential impact ("blast radius").4

Based on this continuously updated risk assessment, UARM platforms dynamically adjust security measures tailored to the individual. These measures encompass not only personalized training content and interventions but also the integration with broader security controls.5 Key characteristics of UARM include its AI-powered nature, reliance on comprehensive data for risk quantification, user-specific adaptation of security measures, provision of real-time feedback and interventions, and its ability to integrate with and influence other security tools.5

The core objective of UARM is to proactively mitigate "human risk"—the errors, negligence, or malicious actions by employees and other users that are widely cited as the root cause of a significant majority (often estimated at over 80% or 90%) of cybersecurity breaches.4 It represents a shift towards managing the human element of security not just through education, but through continuous, adaptive technological oversight and response.

B. Contrasting UARM with Traditional Security Awareness & Training (SA&T)

The distinction between UARM and traditional SA&T represents a fundamental shift in philosophy, methodology, and technological underpinning. While SA&T has served as a foundational element, UARM aims to address its perceived limitations through a more dynamic and personalized approach.

Traditional SA&T programs primarily focus on transferring knowledge and building general awareness about cybersecurity threats and best practices.19 Their goal is often driven by compliance requirements, aiming to "tick the box" for regulations like HIPAA, GDPR, or PCI DSS.16 Training is typically delivered periodically—often annually or quarterly—using a standardized, "one-size-fits-all" curriculum for all employees, regardless of their specific roles, risk levels, or behaviors.9 Success is commonly measured by completion rates or scores on basic quizzes, which may not correlate with actual secure behavior.19 This approach is often reactive, implemented as part of onboarding or annual compliance cycles.19

In contrast, UARM centers on achieving measurable risk reduction and driving tangible changes in user behavior.5 It is inherently data-driven and risk-based, utilizing continuous or near real-time monitoring and analysis.1 UARM employs personalization and adaptation, tailoring training content, interventions (like targeted simulations or "nudges"), and even security controls to each user's specific risk profile and observed actions.5 Success metrics shift towards behavioral indicators (e.g., phishing susceptibility reduction, secure action adoption) and quantified risk reduction over time.19 This allows for a proactive stance, aiming to identify and mitigate risky behaviors before they lead to incidents.7

The core philosophical divergence lies in their underlying assumptions. Traditional SA&T operates on the premise that imparting knowledge will naturally lead to more secure behavior.37 However, experience and data suggest a significant gap often exists between awareness and action.37 UARM acknowledges this gap and directly targets behavior modification through adaptive, personalized measures driven by ongoing assessment.

This evolution highlights a critical dynamic in the history of SA&T. Compliance mandates, while necessary, inadvertently shaped many SA&T programs around minimum requirements rather than maximum effectiveness.21 Organizations focused on proving training occurred, often through simple completion tracking, to satisfy auditors.19 This "compliance paradox" meant that while SA&T became widespread, its actual impact on reducing human-related breaches was often limited.19 This very failure, born from a compliance-first mindset, ultimately created the demand for more sophisticated, results-oriented approaches like UARM and HRM, which promise measurable risk reduction beyond simply checking a box. While UARM solutions must still facilitate compliance reporting, their primary value proposition lies in demonstrably improving security posture.

Here's a summary of the key differences:

  • Primary Focus:

  • Traditional SA&T: Awareness, Knowledge Transfer

  • User Adaptive Risk Management (UARM): Behavior Change, Risk Reduction

  • Goal:

  • Traditional SA&T: Compliance Fulfillment, General Education

  • UARM: Measurable Mitigation of Human Risk

  • Approach:

  • Traditional SA&T: Standardized, "One-Size-Fits-All"

  • UARM: Data-Driven, Risk-Based, Personalized

  • Timing:

  • Traditional SA&T: Periodic (Annual, Quarterly)

  • UARM: Continuous, Real-Time or Near Real-Time

  • Personalization:

  • Traditional SA&T: Low / None

  • UARM: High, Adaptive based on individual risk/behavior

  • Content:

  • Traditional SA&T: Generic Modules, Videos, Presentations

  • UARM: Tailored Micro-Trainings, Simulations, Nudges, Adaptive Controls

  • Metrics:

  • Traditional SA&T: Completion Rates, Quiz Scores

  • UARM: Behavioral Change Indicators, Quantified Risk Reduction, Reporting Rates

  • Technology:

  • Traditional SA&T: Learning Management Systems (LMS)

  • UARM: AI/ML, User Behavior Analytics (UBA/UEBA), Security Stack Integration

  • Integration:

  • Traditional SA&T: Typically Standalone or Basic LMS Integration

  • UARM: Deep Integration with IAM, EDR, DLP, SIEM, etc.

C. The Rise of Human Risk Management (HRM) as a Related Concept

Concurrent with the development of UARM, the broader strategic concept of Human Risk Management (HRM) has gained prominence. HRM represents a comprehensive approach within cybersecurity focused on identifying, quantifying, assessing, and mitigating the diverse risks associated with human behavior.19 It acknowledges that people are central to security outcomes and seeks to manage this element strategically.

UARM can be understood as a specific, technologically advanced manifestation or implementation of HRM principles.19 It leverages AI, automation, and deep integration to deliver the adaptive capabilities that define it, effectively operationalizing many HRM goals.11 The increasing adoption of the term "HRM" by influential industry analysts like Gartner and Forrester, as well as by cybersecurity vendors, signals a deliberate market shift away from the perceived limitations and negative connotations of the "SA&T" label.25 HRM emphasizes achieving measurable, outcome-driven results, unifying previously fragmented security efforts related to human factors, and cultivating a pervasive security-aware culture.36

Key components often included under the HRM umbrella encompass comprehensive risk assessment and user profiling, the delivery of tailored training and interventions based on risk, proactive policy management and enforcement, continuous monitoring of behavior and control effectiveness, securing visible leadership support and sponsorship, and integrating security awareness deeply into the organizational culture.33 UARM platforms aim to automate and enhance many of these components through technology.

II. Traditional Security Awareness & Training (SA&T): History, Importance, and Limitations

To fully appreciate the shift towards UARM, it is essential to understand the history, significance, and inherent limitations of the traditional SA&T model it seeks to improve upon. SA&T has been an integral part of organizational security for decades, evolving alongside the threat landscape and technological advancements.

A. Historical Development and Evolution of SA&T Programs

The roots of SA&T can be traced back to the early days of computing and the internet. In the 1990s and early 2000s, efforts were often rudimentary and focused on basic IT security hygiene, such as the importance of strong passwords, using antivirus software, and fundamental physical security measures.20 Training during this era was frequently delivered on an ad-hoc basis, lacking consistency and universal adoption across organizations.20 Early significant hacking incidents, like those involving the 414s group, and the disruptive Morris worm in the late 1980s, highlighted network vulnerabilities and spurred the creation of Computer Emergency Response Teams (CERTs) and the initial concepts of preventative cybersecurity, laying the groundwork for more formal awareness efforts.53

The mid-2000s marked a phase of formalization. As the internet became indispensable for business operations and online threats like worms (e.g., ILOVEYOU in 2000) and spam proliferated, organizations began recognizing the need for structured security training.20 The introduction of information security standards, notably ISO/IEC 27001 in 2005, explicitly emphasized the role of human factors and awareness in information security management.20 Initiatives like the U.S. National Cybersecurity Awareness Month, launched in 2004, also aimed to elevate the importance of cybersecurity education.52

By the mid-2010s, the threat landscape had evolved significantly, with phishing attacks and sophisticated social engineering tactics becoming major concerns. In response, SA&T programs adapted by incorporating more engaging and interactive content.20 Phishing simulations became increasingly common as a way to test employee vigilance and provide practical experience.20 Gamification techniques were also introduced to improve learner engagement and knowledge retention.20

The current phase, from the late 2010s to the present, emphasizes continuous learning rather than one-off events.20 There is a growing recognition of the need to apply principles from behavioral science to drive actual behavior change.20 Human Resources (HR) departments have become more involved in delivering and managing these programs, viewing employees as a potential "human firewall".55 This period has also seen the nascent shift towards more data-driven HRM concepts and the integration of AI to personalize training and address specific weaknesses.38 Reflecting its perceived importance, the security awareness training market has grown substantially, valued at $5.6 billion in 2023 and projected to exceed $10 billion by 2027.55

B. The Critical Role of SA&T in Compliance Frameworks

A primary driver behind the widespread adoption and specific structure of many SA&T programs has been the explicit requirements embedded within various industry regulations and cybersecurity frameworks. Compliance mandates often dictate the minimum frequency, scope, and sometimes even specific topics for employee training, making SA&T a non-negotiable component for regulated organizations.

Key frameworks with notable SA&T requirements include:

  • HIPAA (Health Insurance Portability and Accountability Act): Both the Privacy Rule (45 CFR § 164.530(b)(1)) and the Security Rule (45 CFR § 164.308(a)(5)) mandate training for all workforce members. This includes training on policies and procedures regarding Protected Health Information (PHI) and specific security risks like malware protection and password management. Training is required upon hiring and periodically thereafter, especially when policies change materially.21

  • GDPR (General Data Protection Regulation): While not prescribing specific training content, GDPR requires organizations to ensure that personnel involved in processing personal data are aware of data protection principles and their responsibilities. Article 39 explicitly lists raising awareness and training staff as a task for the Data Protection Officer (DPO).40

  • PCI DSS (Payment Card Industry Data Security Standard): Requirement 12.6 explicitly mandates a formal security awareness program for all personnel handling cardholder data. This training must occur upon hire and at least annually, reinforcing the importance of protecting sensitive payment card information.21

  • NIST (National Institute of Standards and Technology): Several NIST publications address SA&T. Special Publication (SP) 800-50 provides detailed guidance on building SA&T programs.42 SP 800-53, which forms the basis for security controls in frameworks like FISMA (for federal agencies) and FedRAMP, includes a dedicated "Awareness and Training" (AT) control family and recommends role-based training.21 SP 800-171, governing the protection of Controlled Unclassified Information (CUI) in non-federal systems, requires personnel to be aware of security risks, safeguards, and insider threats.59 The NIST Cybersecurity Framework (CSF) also includes awareness and training within its "Protect" function.42

  • ISO 27001: This international standard for information security management systems includes control A.7.2.2, which requires organizations to provide appropriate security awareness, education, and training.20

  • Other Frameworks: The CIS Controls (specifically Control 14) and the EU's NIS 2 Directive also contain requirements related to security awareness and training for personnel.40

These regulatory and standard-based requirements, while crucial for establishing a baseline, often focus on minimum acceptable levels (e.g., annual training) and documentation for audit purposes.21 This has historically contributed to the "compliance-driven" nature of many SA&T programs, where the primary goal becomes meeting the requirement rather than maximizing risk reduction effectiveness.

Here's a summary of SA&T requirements across key frameworks:

  • HIPAA:

  • Specific Requirement(s): Privacy Rule § 164.530(b)(1), Security Rule § 164.308(a)(5) 21

  • Key Mandates: Train all workforce on PHI policies/procedures, security risks (malware, passwords); upon hire & periodically 21

  • GDPR:

  • Specific Requirement(s): Article 39 (DPO Tasks) 40

  • Key Mandates: Ensure staff processing personal data are aware of data protection principles & compliance requirements 40

  • PCI DSS:

  • Specific Requirement(s): Requirement 12.6 21

  • Key Mandates: Implement formal security awareness program for all personnel; upon hire & at least annually 21

  • NIST SP 800-53 / 800-171:

  • Specific Requirement(s): AT Control Family / Requirement 3.2 21

  • Key Mandates: Implement awareness program; role-based training; insider threat awareness (800-171) 21

  • ISO 27001:

  • Specific Requirement(s): Control A.7.2.2 20

  • Key Mandates: Provide appropriate security awareness, education, and training 20

C. SA&T as a Foundational Cybersecurity Control

Despite its limitations, traditional SA&T remains a foundational control measure within cybersecurity risk management. Its importance stems from the universally acknowledged reality that humans are often the most unpredictable and exploitable element in the security chain.23 Human error or susceptibility is implicated in a vast percentage of successful cyberattacks, with estimates frequently ranging from 74% to over 95%.16

Consequently, SA&T serves as a primary, non-technical defense mechanism, often conceptualized as building a "human firewall".20 By educating users about common threats like phishing emails, social engineering tactics, malware delivery mechanisms, and the importance of secure practices (e.g., strong passwords, data handling), organizations aim to equip their workforce to recognize and avoid potential attacks.

Furthermore, effective SA&T contributes significantly to fostering a security-conscious organizational culture.22 When employees understand the risks and their role in mitigating them, security becomes a shared responsibility rather than solely the domain of the IT or security department. Authoritative bodies in cybersecurity, such as the SANS Institute, consistently emphasize the critical importance of security awareness training as part of a comprehensive security program designed to manage human risk effectively.41 It provides the essential baseline knowledge upon which more advanced security measures and cultural changes can be built.

D. Critiques: Documented Shortcomings and Lack of Innovation in Traditional SA&T

Despite its foundational role and widespread implementation, traditional SA&T has faced significant criticism regarding its effectiveness and lack of evolution over the years. Numerous analyses and reports highlight recurring shortcomings that limit its impact on reducing actual cybersecurity risk.

A primary critique is its ineffectiveness in changing behavior. Multiple sources argue that simply transferring knowledge does not reliably translate into secure actions.37 Studies and observations indicate that a high percentage of employees (e.g., 70%) continue to engage in risky behaviors even after undergoing training.29 The measurable impact of traditional SA&T on tangible risk reduction is often questioned or found to be minimal.27

The approach itself is frequently faulted. The prevalent "one-size-fits-all" model delivers the same content to everyone, ignoring crucial differences in employee roles, access levels, technical proficiency, individual risk exposure, and learning preferences.9 Furthermore, the strong focus on meeting compliance requirements often leads to programs designed as "tick-box" exercises rather than genuine efforts to improve security posture.16

Content and delivery methods are also common targets of criticism. Training materials are often perceived as boring, unengaging, outdated, overly generic, and lacking relevance to employees' specific work contexts.22 The typical infrequency of training (annual or quarterly) clashes with the reality of human memory; knowledge decays rapidly without reinforcement (the "forgetting curve" suggests up to 80% is forgotten within a month).23 Additionally, programs may focus too narrowly on specific threats, like phishing emails, while neglecting other vectors.67

Operational issues further hinder effectiveness. Managing SA&T programs can be burdensome for administrators, especially if manual processes are involved.23 Achieving high employee participation and maintaining engagement can be challenging, particularly with uninspiring content or inconvenient delivery.66 Lack of visible leadership buy-in, poor communication about the program's goals, or inadequate resource allocation can significantly undermine success.23

Finally, a significant criticism is the perceived lack of innovation. Compared to the rapidly evolving threat landscape and advancements in other areas of cybersecurity, SA&T programs have often seen only slow, incremental improvements.27 The focus has remained largely on refining delivery methods (e.g., better videos, gamification) rather than fundamentally changing the approach to achieve better outcomes in terms of risk reduction.27 This relative stagnation has left many traditional programs ill-equipped to deal with modern, sophisticated threats targeting human behavior.9

These interconnected shortcomings create a challenging dynamic. Unengaging, infrequent, and generic training naturally leads to low participation and rapid knowledge decay.24 When programs are primarily designed and measured against compliance checkboxes rather than actual behavior change or risk reduction 19, they fail to demonstrate tangible value to the organization. This lack of demonstrable impact makes it difficult to secure strong leadership commitment and justify adequate funding or resources.23 Consequently, organizations may default to maintaining minimal, compliance-focused programs, perpetuating the cycle of limited effectiveness. Breaking this cycle necessitates a fundamental shift—moving from a compliance mindset to a risk reduction focus, adopting personalized and continuous approaches, and measuring success based on behavioral outcomes and quantified risk improvements. This is precisely the gap that UARM and modern HRM strategies aim to address.

III. User Adaptive Risk Management in Practice: Technology and Innovation

UARM moves beyond the theoretical limitations of SA&T by leveraging specific technologies and concepts to create a dynamic, responsive security posture centered on individual user risk. This involves real-time monitoring, sophisticated analytics, and adaptive interventions that go far beyond traditional training modules.

A. Core Concepts: Real-time Behavioral Monitoring and Adaptive Controls

The foundation of UARM lies in the continuous or near real-time monitoring and analysis of user behavior and associated contextual factors.1 This monitoring encompasses a wide range of signals, including login patterns (time, location, frequency), device health and posture (patch status, detected malware), network connection details (IP address reputation, VPN usage), data access requests and patterns, application usage, and interactions with security training or simulations.1

This stream of behavioral and contextual data feeds into an analytical engine that assesses the user's current risk level. Based on this assessment, UARM systems dynamically adapt security measures.1 This adaptation extends significantly beyond the scope of traditional Adaptive Access Control (AAC), which primarily focuses on adjusting authentication requirements based on context.1 In a UARM framework, adaptation includes:

  • Adaptive Training and Interventions: Triggering specific, targeted micro-training modules, realistic phishing simulations, security "nudges," or awareness reminders based on detected risky behavior, identified knowledge gaps, or an elevated risk score.5 This ensures training is relevant and delivered at the point of need.

  • Adaptive Security Controls: For users deemed high-risk, the UARM system can integrate with other security tools to automatically implement stricter controls. Examples include enforcing step-up multi-factor authentication (MFA), applying more stringent email filtering rules, intensifying endpoint monitoring (via EDR integration), restricting access to sensitive data or applications (via IAM or DLP integration), or even temporarily limiting certain functionalities.1

This continuous cycle of monitoring, assessment, and adaptation aligns closely with the core principles of Zero Trust security architectures, which mandate continuous verification and assume no implicit trust based on network location or prior authentication.1 UARM provides a mechanism to apply Zero Trust principles specifically to the human element, dynamically adjusting trust levels and corresponding controls based on observed behavior and risk.

B. The Role of User Behavior Analytics (UBA) and AI/ML in Enabling UARM

The engine driving UARM's capabilities relies heavily on User Behavior Analytics (UBA) – or its broader variant, User and Entity Behavior Analytics (UEBA) – and Artificial Intelligence/Machine Learning (AI/ML).

UBA/UEBA serves as the core technology for monitoring user activities and detecting deviations from normal patterns.1 These systems work by establishing a baseline of typical behavior for each user (and entity, in the case of UEBA, which includes devices, servers, applications etc. 72). They then continuously analyze ongoing activity, flagging anomalies or deviations from this baseline that could indicate compromised credentials, insider threats, policy violations, or other security risks.72

AI and ML provide the intelligence layer that powers both UBA/UEBA and the adaptive decision-making of UARM.1 Machine learning algorithms are essential for analyzing the vast and complex datasets generated by user activity, identifying subtle patterns indicative of risk that rule-based systems might miss, and establishing accurate behavioral baselines.3 AI enables predictive analytics, attempting to forecast potential future risks based on past behavior and trends.16 It automates the process of anomaly detection and risk scoring, allowing security teams to focus on validated threats.16 Furthermore, AI facilitates the personalization of training content and interventions at scale, tailoring the response to individual needs.5 Techniques like Natural Language Processing (NLP) and feature engineering may be employed to refine risk models.10 AI can also automate the creation and streamlining of engaging training materials, such as videos and scripts, and optimize their delivery.7

In essence, UBA/UEBA provides the crucial input data—detailed logs of user behavior and identified anomalies—while AI/ML provides the intelligence required for sophisticated analysis, risk prediction, and informed decision-making. The output is UARM's adaptive response, manifesting as tailored training, timely interventions, or dynamic security control adjustments.

However, a significant challenge lies in the concept of "risk quantification." UARM platforms, including Dune Security, heavily market their ability to use AI/ML to calculate a specific risk score for each employee.4 While UBA effectively identifies specific risky behaviors like clicking phishing links or unusual data access 19, translating the complex interplay of human factors—such as knowledge level, potential intent, situational context, inherent susceptibility, system access, and the potential impact of a compromise 5—into a single, objective numerical score is inherently complex and potentially reductive. The specific algorithms, data weighting, and thresholds used by vendors to generate these scores are often proprietary ("black boxes") 4, making independent validation difficult. This lack of transparency raises questions about the accuracy, fairness, and predictive power of these scores. Are they truly indicative of future breach likelihood, or merely reflective of monitored activities that might correlate with risk? How are potential biases within the data or the algorithms themselves identified and mitigated? Organizations evaluating UARM solutions must therefore critically scrutinize the vendor's risk quantification methodology. Relying solely on an opaque score without understanding its constituent parts could lead to misdirected security efforts or unfair consequences for employees. The focus should perhaps be less on the absolute score itself and more on the specific, verifiable risky behaviors that the system identifies, which can then inform targeted, context-aware interventions.

C. Integrating UARM/UBA with the Broader Security Stack (IAM, EDR, DLP, SIEM): Benefits and Challenges

UARM and UBA/UEBA systems are most effective when integrated into the broader cybersecurity ecosystem, rather than operating in isolation. They rely on data feeds from various security and IT systems and, in turn, provide valuable context and trigger actions within those systems.

Data Sources: Effective UBA/UEBA requires comprehensive visibility. Data is typically ingested from a wide range of sources, including Security Information and Event Management (SIEM) systems, Active Directory and other identity providers (IAM), endpoint detection and response (EDR) agents, data loss prevention (DLP) tools, network flow collectors, cloud platform logs (e.g., AWS, Microsoft 365), HR information systems (for user context like role, department, departure status), and external threat intelligence feeds.71

Integration Benefits: Connecting UARM/UBA with other tools unlocks significant advantages. It provides richer context for threat detection and incident response by correlating user behavior anomalies with specific endpoint activities (from EDR), network events (from SIEM/firewalls), or data movement patterns (from DLP).71 This integration enables automated, orchestrated responses across the security stack. For example, a UARM system detecting a high-risk user behavior could trigger an IAM system to enforce MFA or restrict access, while simultaneously instructing an EDR tool to increase monitoring on the user's endpoint.1 This facilitates the implementation of truly adaptive security controls based on real-time human risk assessment.5

Integration Challenges: Despite the benefits, integrating these systems presents several challenges. Technical complexity is a major factor, involving API compatibility, data format normalization, and ensuring seamless data flow between disparate systems.79 The sheer volume of data ingested from multiple sources can lead to data overload, potentially increasing noise and the rate of false positive alerts if not managed carefully.73 Effective integration requires skilled personnel capable of configuring the connections, managing the data flows, and interpreting the correlated results.71 The cost of acquiring, implementing, and maintaining these integrations can also be substantial.87 Ensuring data quality and consistency across different systems is crucial for accurate analysis. Finally, correlating sensitive data from multiple sources (e.g., HR data, activity logs, security alerts) significantly amplifies privacy concerns, requiring careful governance and adherence to regulations.73

The potential for UARM platforms to ingest signals from across the security stack, analyze them through an AI-powered human risk lens, and then trigger coordinated responses via integrations with IAM, EDR, DLP, and other tools suggests an evolution beyond just adaptive training.5 These platforms are effectively positioning themselves as intelligent orchestration layers specifically designed for managing human-centric security actions and policies. This implies that evaluating UARM solutions requires assessing not only their training and risk scoring capabilities but, perhaps more importantly, their integration depth, workflow automation features, API robustness, and overall ability to orchestrate meaningful actions within the existing security infrastructure. Successful deployment and value realization are likely heavily dependent on strong interoperability.

Here's an outline of key integration points and considerations:

  • SIEM:

  • Potential Benefits: Richer log context, correlated alerts, unified view 71

  • Potential Challenges: Data volume/ingestion costs, alert fatigue, correlation complexity 73

  • IAM:

  • Potential Benefits: Identity context, adaptive access control (MFA, restrictions), user provisioning 1

  • Potential Challenges: API limitations, real-time synchronization, policy complexity 79

  • EDR:

  • Potential Benefits: Endpoint behavior correlation, host-level context, automated response actions 71

  • Potential Challenges: Agent compatibility, data volume, potential performance impact 79

  • DLP:

  • Potential Benefits: Context for data movement/exfiltration attempts, policy enforcement triggers 71

  • Potential Challenges: Defining sensitive data accurately, false positives, encryption challenges 73

  • HR Systems:

  • Potential Benefits: User context (role, department, tenure, departure risk), risk factor input 71

  • Potential Challenges: Data privacy/sensitivity, API availability, data synchronization frequency 73

  • Threat Intelligence:

  • Potential Benefits: Context for external threats, correlation with IOCs 71

  • Potential Challenges: Feed quality/relevance, integration complexity, potential for noise 73

  • Cloud Platforms (IaaS/SaaS):

  • Potential Benefits: Visibility into cloud activity, configuration context 71

  • Potential Challenges: API limitations, diverse log formats, shared responsibility model complexity 79

  • Network Infrastructure:

  • Potential Benefits: Network flow data, traffic patterns, device context 71

  • Potential Challenges: Data volume, encryption (limited visibility), NetFlow limitations 73

D. Innovator Spotlight: Dune Security's Approach to UARM

Positioning itself as the "world's first User Adaptive Risk Management solution," Dune Security, founded in 2023, aims to be a leader in this emerging space.4 Based on information gleaned primarily from the company's own marketing materials, job postings, and partner resources (as independent reviews and detailed case studies appear limited in the provided sources 17), Dune Security's platform centers around several key capabilities:

  • AI-Driven Risk Quantification: Dune claims its platform utilizes AI and proprietary machine learning models (specifically mentioning PyTorch and NLP techniques 10) to quantify risk at the individual employee level.4 This quantification is reportedly based on analyzing "comprehensive data," which includes inputs like user behavior, learning patterns derived from training interactions, contextual factors, basic user profile data, potential impact analysis ("blast radius"), results from specific security tests, detection of anomalous activity, and user access levels and permissions.4

  • User-Adaptive Training and Intervention: A core function is the automatic delivery of personalized training content, security interventions, and real-time feedback tailored to the user's quantified risk score and observed behaviors.5 Dune utilizes AI tools (like ChatGPT-4 and Pictory) to streamline the creation and production of educational materials, including videos and scripts, aiming for high engagement.7 The platform also incorporates "hyper-realistic" phishing simulations and offers red team social engineering assessments as part of its testing capabilities.5

  • Adaptive Controls Integration: A key differentiator emphasized by Dune is the platform's ability to integrate with the organization's existing security stack.5 Specific mentions are made of integrations with Identity and Access Management (IAM), Endpoint Detection and Response (EDR), and Data Loss Prevention (DLP) tools.9 This integration allows the UARM platform to dynamically implement or adjust security controls specifically for users identified as high-risk, moving beyond just adaptive training.5 Their backend systems, utilizing Python (Django) and Go, are designed to support these integrations via APIs, running on AWS cloud infrastructure.8

  • Automation and Reporting: Dune highlights the automation capabilities of its platform, aiming to reduce manual effort for security teams in tasks such as scheduling awareness campaigns, assigning training modules, implementing adaptive controls, and generating compliance or risk reports.5 While comprehensive reporting is mentioned as a feature, specific details of the reports were not available in the provided materials.5

Dune Security positions its UARM approach as fundamentally superior to traditional SA&T and claims it represents a significant advancement over existing HRM strategies, suggesting it "multiplies HRM tenfold".11 The company emphasizes benefits such as saving security teams time through automation, reducing organizational risk by proactively addressing human vulnerabilities, and saving money by targeting interventions more efficiently and potentially preventing costly breaches.5 They market the solution as being "built by CISOs, for CISOs," implying a deep understanding of enterprise security needs.11 Dune is also actively pursuing a channel-first go-to-market strategy, building partnerships with resellers and marketplaces.11

IV. Implications and Future Directions

The shift from traditional SA&T towards more dynamic, technology-driven approaches like UARM carries significant implications for cybersecurity effectiveness, organizational practices, user privacy, and the future trajectory of security training and human risk management.

A. Analyzing the Effectiveness and ROI of UARM vs. SA&T

A central claim of UARM and modern HRM approaches is their potential for greater effectiveness in mitigating human-related cybersecurity risks compared to traditional SA&T.9 By focusing directly on influencing and changing risky behaviors through personalized, timely interventions, rather than relying solely on general knowledge transfer, UARM aims to close the gap between awareness and action.16 The ability to target specific vulnerabilities identified through behavioral analysis and risk scoring theoretically allows for more focused and impactful security efforts.16

This shift in approach necessitates a corresponding shift in how effectiveness is measured. Traditional SA&T metrics, such as course completion rates or quiz scores, are widely seen as inadequate indicators of actual risk reduction.19 UARM and HRM emphasize outcome-driven metrics that reflect tangible changes in behavior and security posture. These include tracking reductions in phishing simulation click rates, increases in employee reporting of suspicious activities, documented changes in specific risky behaviors (e.g., password reuse, unsafe data handling), and the overall trend of quantified individual or organizational human risk scores over time.19

The potential Return on Investment (ROI) for UARM is also a key consideration. While calculating a precise ROI applicable to all organizations is challenging due to variations in size, industry, existing posture, and the cost of potential breaches 28, the underlying logic is compelling. Studies on security awareness and HRM programs have suggested potentially high returns, ranging from a seven-fold to a 37-fold ROI in some analyses, or significant potential cost savings from avoided incidents.28 UARM's targeted approach, focusing resources on the highest-risk individuals (often cited as a small percentage responsible for a large majority of incidents 45) and automating interventions, could theoretically optimize this ROI further.5

However, it is crucial to acknowledge that UARM is still an emerging field. While the theoretical advantages are clear, more rigorous, independent, empirical data and longitudinal studies are needed to definitively validate its effectiveness and ROI compared to both traditional SA&T and less technologically advanced HRM programs across diverse organizational contexts.

B. Navigating Privacy, Ethical Considerations, and Trust in UARM/UBA Implementation

Perhaps the most significant challenge accompanying the adoption of UARM and its enabling UBA/UEBA technologies revolves around user privacy and ethical considerations.73 The very foundation of these systems—the continuous collection, aggregation, and analysis of granular data about employee activities, communications, and behaviors—inherently creates potential conflicts with individual privacy rights and expectations.

Key ethical concerns include:

  • Invasion of Privacy: Continuous monitoring can feel intrusive and lead to a perception of pervasive workplace surveillance, eroding employee morale and trust.76

  • Bias and Fairness: AI algorithms used for risk scoring or anomaly detection may contain inherent biases derived from the data they are trained on or the logic implemented, potentially leading to unfair targeting or discrimination against certain groups or individuals.101

  • Scope Creep: There is a risk that data collected for security monitoring could be repurposed for other means, such as performance evaluations or disciplinary actions, without clear consent or justification.79

  • Transparency and Consent: Lack of clarity about what data is being collected, how it is being used, and who has access can breed suspicion and resistance.97

Mitigating these risks requires a proactive and principled approach, embedding privacy and ethical considerations into the design and operation of UARM programs. Best practices include:

  • Transparency and Communication: Openly communicating the purpose, scope, methods, and data handling practices of the monitoring program to all employees is paramount.73

  • Informed Consent: Obtaining explicit consent for monitoring where legally mandated (e.g., GDPR in certain contexts) or as an ethical best practice, ensuring employees understand what they are agreeing to.77

  • Data Minimization and Purpose Limitation: Strictly limiting data collection to what is necessary for legitimate security purposes and avoiding the collection of overly sensitive personal information.77 Monitoring should focus on work-related activities during work hours.98

  • Anonymization and Pseudonymization: Utilizing technical measures to de-identify data wherever possible to reduce privacy impact, especially during analysis phases.101

  • Strict Access Controls: Implementing granular role-based access controls to ensure that only authorized personnel with a legitimate need-to-know can access monitoring data and investigation results.76

  • Robust Governance and Policies: Establishing clear policies that define the program's scope, acceptable use, data retention periods, risk thresholds for intervention, procedures for handling conflicts of interest, and ethical guidelines for AI usage.76

  • Focus on Support, Not Punishment: Framing the program's intent around risk reduction, employee support, and education, rather than creating a punitive environment.70

Successfully implementing UARM hinges on striking a delicate balance between achieving security objectives and respecting employee privacy and fostering trust.27 This balance highlights an inherent tension within UARM: its core value proposition—personalization—is directly fueled by the collection of detailed behavioral data. The more granular the data collected by UBA/UEBA 1, the greater the potential for highly tailored, adaptive training and controls.5 However, this increased data collection simultaneously heightens privacy concerns.73 Organizations must recognize that maximizing personalization may require crossing privacy boundaries that could alienate employees and ultimately undermine the program's acceptance and effectiveness. Therefore, privacy cannot be an add-on; it must be a foundational design principle, requiring a clear data governance framework that defines acceptable monitoring limits and ensures ethical data handling, even if this means placing practical constraints on the achievable level of personalization.

C. Impact on Organizational Culture, Employee Experience, and Productivity

The implementation of UARM can have profound effects on organizational culture, the daily experience of employees, and overall productivity – impacts that can be either positive or negative depending heavily on the approach taken.

Culture: When implemented thoughtfully, UARM and broader HRM initiatives have the potential to positively transform an organization's security culture.19 By making security training relevant, personalized, and integrated into workflows, it can foster a sense of shared responsibility and empower employees to become active participants in defense. Celebrating security successes and using positive reinforcement can further embed security as a core value.46 Conversely, poorly communicated or overly intrusive programs can breed fear, resentment, and a counterproductive "checkbox" mentality, damaging the very culture they aim to improve.22 Visible commitment and modeling of secure behaviors by leadership are crucial for driving positive cultural adoption.23

Employee Experience: Compared to traditional, often lengthy and generic SA&T sessions, UARM's adaptive, micro-learning approach can offer a less disruptive and more engaging experience for employees.9 Training becomes more relevant and potentially less time-consuming. However, the underlying continuous monitoring can negatively impact morale if perceived as excessive surveillance or micromanagement.76 Real-time "nudges" or interventions, while intended to be helpful, must be carefully designed and calibrated to avoid becoming intrusive or annoying.29

Productivity: A key goal of UARM is to minimize disruption to productive work by targeting interventions specifically at risky behaviors or high-risk individuals, rather than subjecting everyone to the same broad measures.9 Effective security, including training, should ideally integrate seamlessly with employee workflows rather than hindering them.19 However, there is a potential downside: adaptive controls triggered by inaccurate risk assessments or false positive behavioral detections could inadvertently block legitimate access or workflows, thereby impeding productivity.73

Ultimately, despite the sophisticated technology like AI and UBA that underpins UARM 1, its success remains fundamentally dependent on influencing human psychology and behavior.19 Factors beyond the technology itself—such as employee motivation, inherent cognitive biases that make users susceptible to social engineering 30, the level of trust employees have in the organization's intentions 76, the perceived fairness and relevance of the adaptive measures 22, and the prevailing organizational security culture 22—are critical. These human factors will largely determine whether employees engage positively with the system or actively or passively resist it. Securing visible leadership commitment is therefore not just beneficial but essential for fostering cultural acceptance and driving the desired behavioral changes.23 This underscores that implementing UARM effectively requires a holistic strategy encompassing not just technology deployment but also robust change management, transparent communication, trust-building, and a clear demonstration of value to the employees themselves.

D. The Future Landscape: Industry Analyst Perspectives (Gartner, Forrester) on the Shift to HRM/UARM

Leading technology research and advisory firms like Gartner and Forrester have recognized and are actively analyzing the significant shift occurring in the realm of security awareness and human risk. Their perspectives provide valuable insights into the future trajectory of this market.

Both Gartner and Forrester clearly identify a trend moving away from traditional SA&T towards HRM and human-centric security models.25 This shift emphasizes achieving tangible behavior change, quantifying human risk accurately, and cultivating a strong security culture as primary goals, moving beyond mere compliance fulfillment. Gartner predicts that by 2027, at least 50% of CISOs globally will formally adopt human-centric security design principles.26 Forrester anticipates HRM solutions becoming mainstream within the next four years, replacing outdated SA&T approaches.27

A key aspect of this evolution is a renewed focus on meaningful outcomes and metrics. Analysts stress the need to move beyond tracking activity metrics like training completion rates and quiz scores. Instead, the focus should be on measuring actual behavioral change (e.g., reduced susceptibility to simulations, increased threat reporting) and demonstrating quantifiable reductions in human-related risk over time.25

Looking further ahead, Forrester envisions a long-term evolution towards "adaptive human protection".27 This future state, perhaps five to eight years away for most organizations, involves a seamless integration of people, processes, and technologies working together to anticipate and automatically mitigate human security risks with minimal conscious effort required from the employee.27

Achieving these future states requires integration and technology optimization. Analysts highlight the importance of integrating various security tools to gain holistic visibility and enable orchestrated responses.47 AI is consistently identified as a critical enabler for achieving personalization at scale, automating detection and response, enhancing predictive capabilities, and ultimately building more resilient systems.16

Finally, analysts emphasize the importance of culture and overall cyber resilience. Success requires fostering a collaborative risk management culture where security is embedded in everyday processes and discussions.25 The strategic focus is shifting from solely preventing breaches (an often unrealistic goal) towards building resilience—the ability to withstand, respond to, and recover quickly from incidents when they inevitably occur.47 Addressing the well-being and potential burnout of security teams is also recognized as crucial for program sustainability and effectiveness.47

The convergence of analyst predictions, the emergence of dedicated UARM/HRM platforms 7, and the technological capabilities being developed signal a significant maturation and potential consolidation of the security awareness market. What was once a field characterized by basic, compliance-driven tools 20 is evolving into one defined by integrated, data-driven platforms promising measurable risk reduction.19 Furthermore, the concept of adaptive controls within UARM 5 directly overlaps and potentially merges with established concepts like Adaptive Access Control (AAC) 1 and the principles of Zero Trust architecture.2 This suggests a future where human risk signals, generated and analyzed by UARM/HRM systems, become direct inputs into dynamic access policies and automated security orchestration frameworks. Organizations should therefore anticipate a future where human risk management is not a siloed training function but a core, integrated component of identity management, security operations, and overall risk governance. This trend necessitates evaluating potential solutions based on their integration capabilities and alignment with broader Zero Trust strategies, and it may drive market consolidation favoring platforms that offer comprehensive, integrated UARM/HRM functionality.

V. Conclusion: Synthesizing the Shift Towards Adaptive, Human-Centric Security

The cybersecurity landscape is undergoing a necessary evolution in how it addresses the persistent challenge of human risk. Traditional Security Awareness and Training (SA&T), while serving a foundational purpose historically driven by compliance needs, has demonstrably fallen short in consistently translating knowledge into secure behavior and significantly reducing the frequency of human-related breaches. Its common limitations—a one-size-fits-all approach, infrequent delivery, lack of engaging content, and metrics focused on completion rather than impact—have created a critical need for more effective strategies.

User Adaptive Risk Management (UARM), emerging as a technologically advanced application of broader Human Risk Management (HRM) principles, represents a significant step forward. By leveraging the power of AI and UBA/UEBA, UARM offers the potential for enhanced risk reduction through personalized, context-aware, and real-time interventions. Its ability to tailor training, deliver timely nudges, and dynamically adapt security controls based on individual risk profiles promises a more efficient and targeted approach to mitigating human vulnerabilities, potentially yielding a higher return on investment compared to traditional methods and aligning well with modern Zero Trust security paradigms.

However, the transition to UARM is not without substantial challenges. The complexity of accurately and transparently quantifying multifaceted human risk using algorithms remains a significant hurdle. More critically, the intensive user activity monitoring inherent in UARM raises profound privacy and ethical concerns that must be addressed proactively and transparently to maintain employee trust and ensure program acceptance. Failure to navigate the delicate balance between security objectives and individual privacy rights can lead to employee resistance, damage organizational culture, and ultimately undermine the effectiveness of the initiative. Furthermore, the technical complexities of integrating UARM platforms with the existing security stack and managing the vast amounts of data involved require careful planning and skilled resources.

For organizations considering or embarking on the adoption of UARM, several strategic considerations are paramount:

  • Define Clear Objectives: Focus should be squarely on measurable risk reduction and specific behavioral change outcomes, moving beyond mere compliance fulfillment.

  • Conduct Critical Vendor Evaluation: Scrutinize vendor claims regarding AI capabilities, risk quantification methodologies, integration depth, and privacy safeguards. Seek transparency wherever possible.

  • Prioritize Privacy and Ethics: Embed privacy-by-design principles from the outset. Develop a comprehensive data governance framework, ensure transparency with employees, and establish clear ethical guidelines for data use and AI application.

  • Plan for Integration: Assess compatibility and develop a roadmap for integrating the UARM platform with key elements of the existing security infrastructure (IAM, SIEM, EDR, DLP, etc.) to unlock its full potential as an orchestration layer.

  • Invest in Change Management: Recognize that UARM implementation is not just a technology project but a cultural one. Secure visible leadership commitment, communicate openly, demonstrate value to employees, and foster a positive, supportive security culture.

The shift towards adaptive, human-centric security, embodied by UARM and modern HRM, is a necessary response to the limitations of past approaches and the realities of the current threat landscape. While technologies like AI and UBA provide powerful new capabilities for understanding and influencing human behavior, they are enablers, not solutions in themselves. Successfully managing human risk in the digital age requires a holistic strategy that thoughtfully balances advanced technology with robust policies, a strong ethical foundation, a supportive organizational culture, and a fundamental respect for individual privacy.

Works cited

  1. Adaptive Access Control | IAM Capabilities - Thales CPL, accessed April 26, 2025, https://cpl.thalesgroup.com/access-management/adaptive-access-control

  2. Adaptive Access Control: Navigating Cybersecurity in the Era of AI and Zero Trust - ISACA, accessed April 26, 2025, https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2025/adaptive-access-control-navigating-cybersecurity-in-the-era-of-ai-and-zero-trust

  3. Real-time adaptive security - Wikipedia, accessed April 26, 2025, https://en.wikipedia.org/wiki/Real-time_adaptive_security

  4. Dune Security - Products, Competitors, Financials, Employees, Headquarters Locations, accessed April 26, 2025, https://www.cbinsights.com/company/dune-security

  5. Dune Security | Enterprise Security Awareness, accessed April 26, 2025, https://dune.security/

  6. Sales Engineer @ Dune Security | Antler Job Board, accessed April 26, 2025, https://careers.antler.co/companies/dune-security/jobs/40807802-sales-engineer

  7. Dune Security is hiring: Content Producer in New York - Mediabistro, accessed April 26, 2025, https://www.mediabistro.com/jobs/942302599-dune-security-is-hiring-content-producer-in-new-york

  8. ******* ******** ******** @ Dune Security | Craft Ventures Job Board, accessed April 26, 2025, https://jobs.craftventures.com/companies/dune-security/jobs/45125822-backend-software-engineer

  9. Technology Vendor Summit- Evansville, IN - Keller Schroeder, accessed April 26, 2025, https://www.kellerschroeder.com/tvs/

  10. AI Engineer @ Dune Security | Alumni Ventures Job Board, accessed April 26, 2025, https://jobs.av.vc/companies/dune-security-2/jobs/45063282-ai-engineer

  11. Partner Portal - Dune Security, accessed April 26, 2025, https://on.dunesecurity.io/dune-security-partner-portal-0

  12. Jr. Account Executive @ Dune Security - Jobs, accessed April 26, 2025, https://jobs.ashbyhq.com/dune-security/4202f73b-68ce-4bf4-b6b0-719409d9f52b?embed=js

  13. Video Editor in New York, NY | Society for Scholarly Publishing Career Center, accessed April 26, 2025, https://jobs.sspnet.org/job/video-editor-new-york-ny-44ee38557014e1864acbebc84c61e49fb

  14. Senior Product Manager @ Dune Security - Alumni Ventures Job Board, accessed April 26, 2025, https://jobs.av.vc/companies/dune-security-2/jobs/45063296-senior-product-manager

  15. Senior Site Reliability Engineer (SRE) @ Dune Security | Craft Ventures Job Board, accessed April 26, 2025, https://jobs.craftventures.com/companies/dune-security/jobs/48916126-senior-site-reliability-engineer-sre

  16. The Future of Cybersecurity Training: Why Adaptive, Real-Time Solutions Are Essential, accessed April 26, 2025, https://dune.security/resources/bootcamp/the-future-of-cybersecurity-training-why-adaptive-real-time-solutions-are

  17. User Adaptive Risk Management: Why It ... - Dune Security, accessed April 26, 2025, https://dune.security/resources/whitepaper/user-adaptive-risk-management-why-it-outperforms-traditional-security-awareness-training

  18. Guests - Security Architecture Podcast, accessed April 26, 2025, https://www.security-architecture.org/guests

  19. How Does Human Risk Management Differ from Security Awareness Training?, accessed April 26, 2025, https://blog.knowbe4.com/how-does-human-risk-management-differ-from-security-awareness-training

  20. What is Security Awareness Training? - VIPRE, accessed April 26, 2025, https://vipre.com/glossary-terms/what-is-security-awareness-training/

  21. Security Awareness Training Requirements - TeachPrivacy, accessed April 26, 2025, https://teachprivacy.com/security-awareness-training-requirements/

  22. 5 Reasons Security Awareness Training Is Not Getting Results - MetaCompliance, accessed April 26, 2025, https://www.metacompliance.com/blog/cyber-security-awareness/5-reasons-security-awareness-training-not-results

  23. Why Security Awareness Programs Fail—and How to Fix It, accessed April 26, 2025, https://www.terranovasecurity.com/blog/why-security-awareness-programs-fail-how-to-fix-it

  24. Why Security Awareness Training Is Important But Not Enough, accessed April 26, 2025, https://www.livingsecurity.com/blog/why-security-awareness-training-is-important-but-not-enough

  25. What is the difference between a security awareness and human risk manager? - Hoxhunt, accessed April 26, 2025, https://hoxhunt.com/blog/difference-between-a-security-awareness-and-human-risk-manager

  26. Gartner's Calling for a Human-Centric Approach to Cybersecurity - Here's How to Implement It - Cyber Defense Magazine, accessed April 26, 2025, https://www.cyberdefensemagazine.com/gartners-calling-for-a-human-centric-approach-to-cybersecurity-heres-how-to-implement-it/

  27. Security awareness and training is a method, not an outcome | Cybersecurity Dive, accessed April 26, 2025, https://www.cybersecuritydive.com/news/security-awareness-training-strategy/733468/

  28. How effective is security awareness training? - usecure Blog, accessed April 26, 2025, https://blog.usecure.io/does-security-awareness-training-work

  29. AI-Powered Hyper-Personalized Security Awareness Programs - Keepnet Labs, accessed April 26, 2025, https://keepnetlabs.com/blog/ai-powered-hyper-personalized-security-awareness-program-a-strategic-guide-for-organizations

  30. Human Risk Management Psychographic Categorization of Users - OutThink, accessed April 26, 2025, https://www.outthink.io/community/thought-leadership/blog/human-risk-management-the-eight-dimensions-of-secure-behavior-segmentation/

  31. Adaptive Security Awareness Training - OutThink, accessed April 26, 2025, https://www.outthink.io/products/adaptive-security-awareness-training/

  32. How Human Risk Management Informs Adaptive Cybersecurity - OutThink, accessed April 26, 2025, https://www.outthink.io/community/thought-leadership/blog/human-risk-management-gets-adaptive/

  33. Human Risk Management: A Step-By-Step Implementation Guide - CanIPhish, accessed April 26, 2025, https://caniphish.com/blog/human-risk-management-implementation-guide

  34. How to Create Employee Behavior Change: A Security-First Approach, accessed April 26, 2025, https://dune.security/resources/whitepaper/how-to-create-employee-behaviour-change-a-security-first-approach

  35. Human Risk Management - MATURITY MODEL - Living Security, accessed April 26, 2025, https://www.livingsecurity.com/hubfs/_Core%20Website%20Files/Resource%20Center/Living-Security-Human-Risk-Management-Maturity%20Model-Ebook.pdf

  36. What Is Human Risk Management? | The Essential Guide to HRM - SoSafe, accessed April 26, 2025, https://sosafe-awareness.com/glossary/human-risk-management/

  37. Human Risk Management or just Security awareness 2.0? : r/cybersecurity - Reddit, accessed April 26, 2025, https://www.reddit.com/r/cybersecurity/comments/1ipgozc/human_risk_management_or_just_security_awareness/

  38. What Are the Top Trends in Cybersecurity Awareness Training for 2025? - Keepnet Labs, accessed April 26, 2025, https://keepnetlabs.com/blog/what-are-the-top-trends-in-cybersecurity-awareness-training-for-2025

  39. 2025 Security Awareness Training Statistics - Keepnet Labs, accessed April 26, 2025, https://keepnetlabs.com/blog/security-awareness-training-statistics

  40. 19 Security Frameworks Requiring SAT (Dec 2024) - Hoxhunt, accessed April 26, 2025, https://hoxhunt.com/blog/security-frameworks

  41. SANS Security Awareness, accessed April 26, 2025, https://www.cisecurity.org/services/cis-cybermarket/sans-security-awareness

  42. How to build security awareness & training to NIST standards - Infosec, accessed April 26, 2025, https://www.infosecinstitute.com/resources/security-awareness/how-to-build-security-awareness-training-to-nist-standards/

  43. The People Element in Cybersecurity: Transitioning to Human-Centric Risk Management, accessed April 26, 2025, https://armorpoint.com/2024/04/29/the-people-element-in-cybersecurity/

  44. Human Risk Management | Managed Risk Solutions - ArmorPoint, accessed April 26, 2025, https://armorpoint.com/security-solutions/managed-risk/human-risk-management/

  45. What Is Human Risk Management? Definition | Proofpoint US, accessed April 26, 2025, https://www.proofpoint.com/us/threat-reference/human-risk-management

  46. What Is Human Risk Management? - Keepnet Labs, accessed April 26, 2025, https://keepnetlabs.com/blog/what-is-human-risk-management-keepnet

  47. Top Cybersecurity Trends and Strategies for Securing the Future | Gartner, accessed April 26, 2025, https://www.gartner.com/en/cybersecurity/topics/cybersecurity-trends

  48. Human Risk Management In Cyber Security - MetaCompliance, accessed April 26, 2025, https://www.metacompliance.com/blog/cyber-security-awareness/human-risk-management

  49. Human Risk Management (HRM) Defined: What You Need to Know, accessed April 26, 2025, https://www.compassitc.com/blog/human-risk-management-hrm-defined-what-you-need-to-know

  50. Human Risk Management: Strategies for Building A Resilient Organization - Collossio, accessed April 26, 2025, https://collossio.com/blog/human-risk-management-strategies-for-building-a-resilient-organization/

  51. Managing Human Security Risks: Best Practices for IAM and Risk Management, accessed April 26, 2025, https://www.morganfranklin.com/insights/managing-human-security-risks-best-practices-for-iam-and-risk-management/

  52. 20 Years of Cyber Security Awareness: Evolution of Security - Inspired eLearning, accessed April 26, 2025, https://inspiredelearning.com/blog/20-years-cyber-security-awareness/

  53. What is security awareness: Definition, history and types - Infosec, accessed April 26, 2025, https://www.infosecinstitute.com/resources/security-awareness/security-awareness-definition-history-types/

  54. The evolution of 20 years of cybersecurity awareness - IBM's Security Intelligence, accessed April 26, 2025, https://securityintelligence.com/articles/20-years-of-cybersecurity-awareness/

  55. The Evolution of Security Awareness Training - SWK Technologies, accessed April 26, 2025, https://www.swktech.com/the-evolution-of-security-awareness-training/

  56. How Security Awareness Training Is Evolving - Insulation Outlook Magazine, accessed April 26, 2025, https://insulation.org/io/articles/how-security-awareness-training-is-evolving/

  57. Fostering cybersecurity awareness for effective risk management and creating cyber-resilient environments, accessed April 26, 2025, https://industrialcyber.co/features/fostering-cybersecurity-awareness-for-effective-risk-management-and-creating-cyber-resilient-environments/

  58. PCI DSS and HIPAA compliance: Do you need both? - Vanta, accessed April 26, 2025, https://www.vanta.com/resources/the-roles-of-pci-dss-and-hipaa-compliance

  59. NIST SP 800-171 Requirement 3.2: Awareness and Training - NeQter Labs, accessed April 26, 2025, https://neqterlabs.com/nist-sp-800-171-requirement-3-2-awareness-and-training/

  60. Information Technology (IT) System Awareness and Training (AT) Standard - Department of Education, accessed April 26, 2025, https://www.ed.gov/sites/ed/files/fund/contract/about/acs/2023-at-awareness-and-training-standard.pdf

  61. Human Risk Management Will Be the Hot Topic of 2025 - Mimecast, accessed April 26, 2025, https://www.mimecast.com/blog/human-risk-management-will-be-the-hot-topic-of-2025/

  62. Security Awareness Training - SANS Institute, accessed April 26, 2025, https://www.sans.org/security-awareness-training/

  63. SANS Security Awareness Training | Education Services: HPE English-Speaking Africa, accessed April 26, 2025, https://education.hpe.com/ke/en/training/sans-cybersecurity-training.html

  64. Security Awareness Training Solutions - SANS Institute, accessed April 26, 2025, https://www.sans.org/security-awareness-training/products/security-awareness-solutions/

  65. Rethinking Security Awareness Training: Beyond the Basics - Cyderes, accessed April 26, 2025, https://www.cyderes.com/blog/rethinking-security-awareness-training-beyond-the-basics

  66. Security Awareness Program Challenges | Arctic Wolf, accessed April 26, 2025, https://arcticwolf.com/resources/blog/5-biggest-security-awareness-challenges/

  67. 6 Reasons Why Phishing and Security Awareness Training Programs Fail - eSentire, accessed April 26, 2025, https://www.esentire.com/blog/6-reasons-why-phishing-and-security-awareness-training-programs-fail

  68. Overcoming Challenges in Remedial Training for Cybersecurity Awareness, accessed April 26, 2025, https://www.terranovasecurity.com/blog/overcoming-challenges-remedial-training-cybersecurity-awareness

  69. Top 5 Challenges Faced in Security Awareness Training - Troop Messenger, accessed April 26, 2025, https://www.troopmessenger.com/blogs/top-5-challenges-faced-in-security-awareness-training

  70. Security Awareness Training - KnowBe4, accessed April 26, 2025, https://www.knowbe4.com/security-awareness-training

  71. Insider Risk vs. Insider Threat: Key Differences Explained | Mimecast, accessed April 26, 2025, https://www.mimecast.com/blog/insider-threat-or-insider-risk-what-are-you-trying-to-solve/

  72. What Is UEBA? | Definition & Benefits - Trellix, accessed April 26, 2025, https://www.trellix.com/security-awareness/operations/what-is-ueba/

  73. What Is Behavioral Analytics? - CrowdStrike, accessed April 26, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/exposure-management/behavioral-analytics/

  74. What Is User and Entity Behavior Analytics (UEBA)? | Microsoft Security, accessed April 26, 2025, https://www.microsoft.com/en-us/security/business/security-101/what-is-user-entity-behavior-analytics-ueba

  75. What is UEBA (User and Entity Behavior Analytics)? - Palo Alto Networks, accessed April 26, 2025, https://www.paloaltonetworks.ca/cyberpedia/what-is-user-entity-behavior-analytics-ueba

  76. Insider Threat Detection: Strategies, Technologies, and Best Practices - SearchInform, accessed April 26, 2025, https://searchinform.com/cybersecurity/measures/threat-management/insider-threat-detection/

  77. How Does Employee Monitoring Help Detect Insider Threats? - TimeCamp, accessed April 26, 2025, https://www.timecamp.com/blog/how-does-employee-monitoring-help-detect-insider-threats/

  78. Maximizing Your Security With UEBA Integration | Logsign, accessed April 26, 2025, https://www.logsign.com/blog/maximizing-your-security-with-ueba-integration/

  79. Unlock Hidden Threats with UBA and UEBA - Cyber Security Hub, accessed April 26, 2025, https://www.cshub.com/executive-decisions/articles/unlock-hidden-threats-with-uba-and-ueba

  80. How AI Will Transform Security Awareness Training - Keepnet Labs, accessed April 26, 2025, https://keepnetlabs.com/blog/how-ai-will-transform-security-awareness-training

  81. Zero Trust in Practice: How to Implement a Secure Framework for Modern Enterprises, accessed April 26, 2025, https://www.dune.security/resources/bootcamp/zero-trust-in-practice-how-to-implement-a-secure-framework-for-modern

  82. Top 8 Microsoft Teams security issues | Infosec, accessed April 26, 2025, https://www.infosecinstitute.com/resources/general-security/top-8-microsoft-teams-security-issues/

  83. Code42 - Products, Competitors, Financials, Employees, Headquarters Locations - CB Insights, accessed April 26, 2025, https://www.cbinsights.com/company/code-42-software

  84. User Behavior Entity Analytics - CDSE, accessed April 26, 2025, https://www.cdse.edu/Training/Security-Training-Videos/Insider-Threat-Training-Videos/User-Behavior-Entity-Analytics/

  85. Research Paper on Cybersecurity and Insider Threat Detection: The Role of User Behavior Analytics (UBA) in Modern Defense Strategies - IJRASET, accessed April 26, 2025, https://www.ijraset.com/best-journal/research-paper-on-cybersecurity-and-insider-threat-detection-and-prevention-through-user-behavior-analytics-uba-

  86. Beginner's Guide: User Behavior Analytics (UBA) - ActivTrak, accessed April 26, 2025, https://www.activtrak.com/user-behavior-analytics/

  87. Implementing User Behavior Analytics In Business Security Strategies | - SecureTrust, accessed April 26, 2025, https://securetrust.io/blog/implementing-user-behavior-analytics-in-business-security-strategies/

  88. Redefining Human Risk Management: Strategic Imperatives for a Proactive, Tech-Enabled Future - Frost & Sullivan, accessed April 26, 2025, https://www.frost.com/growth-opportunity-news/security/cybersecurity/redefining-human-risk-management-strategic-imperatives-for-a-proactive-tech-enabled-future-cim-pb/

  89. Compliance Training Software For Security Awareness Learn365 - Zensai, accessed April 26, 2025, https://zensai.com/security-and-compliance-training/

  90. Ensure Security with UBA - Netwrix, accessed April 26, 2025, https://www.netwrix.com/UBA_Best_Practices_Guide.html

  91. Integrating Trust-Based Adaptive Security Framework with Risk Mitigation to enhance SaaS User Identity and Access Control based, accessed April 26, 2025, https://ltu.diva-portal.org/smash/get/diva2:1632450/FULLTEXT01.pdf

  92. The Role of Talent Management to Accomplish Its Principal Purpose in Human Resource Management | Request PDF - ResearchGate, accessed April 26, 2025, https://www.researchgate.net/publication/376258742_The_Role_of_Talent_Management_to_Accomplish_Its_Principal_Purpose_in_Human_Resource_Management

  93. Top Hook Security Alternatives in 2025 - Slashdot, accessed April 26, 2025, https://slashdot.org/software/p/Hook-Security/alternatives

  94. Big Red Jobs, accessed April 26, 2025, https://bigredjobs.org/

  95. Digital Download (PDF) - Air & Space Forces Magazine, accessed April 26, 2025, https://www.airandspaceforces.com/app/uploads/1996/10/1096_Oct1996.pdf

  96. Best Terranova Security Alternatives & Competitors - SourceForge, accessed April 26, 2025, https://sourceforge.net/software/product/Terranova-Security-Awareness-Platform/alternatives/1000

  97. Screen Monitoring: Enhancing Security and Productivity in the Workplace - SearchInform, accessed April 26, 2025, https://searchinform.com/employee-management/monitoring/screen-monitoring/

  98. Ethical Considerations for Employee Monitoring - ActivTrak, accessed April 26, 2025, https://www.activtrak.com/solutions/employee-monitoring/ethical-considerations/

  99. What Is User Activity Monitoring? - Logz.io, accessed April 26, 2025, https://logz.io/blog/what-is-user-activity-monitoring/

  100. How to Monitor Employee Internet Usage & Online Activities? - Apploye, accessed April 26, 2025, https://apploye.com/blog/how-to-monitor-employee-internet-usage-and-online-activities/

  101. Ethical Issues in AI Cybersecurity - Redress Compliance, accessed April 26, 2025, https://redresscompliance.com/ethical-issues-ai-cybersecurity/

  102. A Guide for Insider Risk Teams: 10 Tips for Monitoring User Activity While Protecting Privacy - Proofpoint, accessed April 26, 2025, https://www.proofpoint.com/us/blog/information-protection/balancing-user-privacy-and-user-activity-monitoring

  103. (PDF) LEADING SAAS INNOVATION WITHIN U.S. REGULATORY BOUNDARIES: THE ROLE OF TPMS IN NAVIGATING COMPLIANCE - ResearchGate, accessed April 26, 2025, https://www.researchgate.net/publication/379906798_LEADING_SAAS_INNOVATION_WITHIN_US_REGULATORY_BOUNDARIES_THE_ROLE_OF_TPMS_IN_NAVIGATING_COMPLIANCE

  104. Best Human Risk Management Platforms in 2025 - Slashdot, accessed April 26, 2025, https://slashdot.org/software/human-risk-management/

  105. Best Security Awareness Computer-Based Training Reviews 2025 | Gartner Peer Insights, accessed April 26, 2025, https://www.gartner.com/reviews/market/security-awareness-computer-based-training

Franklin Donahoe
Previous

Transitioning to a Passwordless Future
Next

Bridging the Divide