Are you managing risk, or just naming worries?
Dear renegades, mavericks, and deviants,
Phishing isn't the risk. Neither is password reuse. Neither are your users.
Risk is the potential for a bad outcome for the organization.
If that sounds wrong, it’s on you.
Because it means you've been using the word "risk" the way many security peeps do — as a label for anything bad. And that's exactly why risk management feels so slippery.
Here's the problem:
In the human aspect of cybersecurity, we’ve turned "risk" into a catch-all label that has become shorthand for threats, behaviors, vulnerabilities, and attackers. It sounds serious. But it isn’t precise.
Risk isn’t the bad thing itself. Not the behavior that contributes to it. Not the threat that activates it. The outcome.
This isn't pedantry. It's foundational. If you can't define what the bad thing actually is, you can't measure it, prioritize it, or reduce it. You're just shuffling words around.
Here's a 20-second test.
Say it out loud: "There is a risk that…"
- “...someone clicks a link” = behavior, not risk.
- “...an attacker targets finance” = threat, not risk.
- “...we suffer a $1m reportable breach” = risk.
Risk = likelihood x impact.
Behavior and context change likelihood. Threats activate it. Impact is how bad it is.
The distinction is everything. Legacy security treated people as users, not part of the system. Tools and infrastructure got the serious risk treatment. People got awareness training, written policies, and hoped for the best.
But the modern reality is different. Humans are a core part of the system. Their behavior materially shapes outcomes. So any serious risk assessment has to account for human beings more deeply, not as "the risk," but as a driver of likelihood.
Behavior shapes how likely it is that the bad thing will happen. Context shapes how bad it gets when it does. But neither of them is the risk itself.
Once you see this, you can't unsee it. And you’ll be able to:
- Stop saying "our users are a risk" and start asking "which behaviors are increasing the likelihood of outcomes we care about?"
- Stop counting training completions and start measuring whether behavior actually changed.
- Stop labelling and start managing.
Try this. Pull up your last board paper or risk register. Every time you see the word "risk," ask:
“Can I complete ‘there is a risk that…’ with an organizational outcome?”
If not, you're not managing risk. You're just naming things you're worried about.
And those aren't the same thing.
— Oz A
P.S. Which “risks” survived the test in your register? Hit reply and let me know. I'm genuinely curious about whether this quick check sparked something, and what you found.
