Security risk isn't just about attackers; it’s about pressure, friction, and the human behavior at the core of every control. Discover a new model for HRM. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
CybSafe logo
BEHAVE Newsletter

The anatomy of human risk
(and why behavior is the fulcrum)

 

 

Dear renegades, mavericks, and deviants,

 

A support agent can't access the system she needs to resolve an urgent ticket. Her colleague kindly steps in: "Just use mine for now." 

 

She accepts. Not because she's reckless, but because helping the customer in a timely manner matters more than following protocol in that moment.

 

Hello short-term gain, goodbye safety net.

 

A manager moves teams but still has access to old systems. Deprovisioning is manual, slow...buried in a queue somewhere. (You know the drill). When his new permissions don't come through, he uses the old access as a shortcut. 

 

Rational? Yes.. Efficient? Yes. Risky? …Oh yes.

 

A project team can't get approved software in time for a client deadline. Someone spins up an unapproved cloud service to share files. Thanks to which, they deliver on time. 

 

…They also create exposure no one will discover until months later. 

 

There’s that short-term gain again. 

 

And here’s the thing… in all three instances, these are just hardworking colleagues, with the company’s best interests at heart. You can hardly blame them. 

 

But here's what these scenarios also have in common: pressure meets behavior, and risk materializes.

 

Here's what most people miss. Risk isn't the bad thing. Risk isn’t the breach or the incident. Risk is the potential for the bad thing to happen.

 

You've been taught to think about risk as the outcome — The data loss. The ransomware. The regulatory fine. — But that's impact. That's what happens when risk becomes reality.

 

Risk lives much earlier in the chain. And if you're not seeing it clearly, you're managing the wrong thing.

 

 

Pressure doesn't just come from attackers

Every incident begins with pressure.

 

Sometimes that pressure comes from outside. A cybercriminal wants money. A nation-state wants secrets. A fraudster wants access. These are the threats security teams have always understood.

 

But pressure also comes from within, just like in the scenarios above. 

  • Operational demands that compress timelines.
  • Competing priorities that force trade-offs. 
  • Processes that create friction instead of flow. 
  • The finance manager racing to close the quarter. 
  • The support agent juggling too many tickets. 
  • The new starter unsure which process to follow.

These aren't attackers. They're colleagues, doing their best, under (perfectly normal) conditions that make mistakes more likely.

 

And pressure comes from above. 

  • Regulations that demand reporting. 
  • Policies that conflict with workflows. 
  • Audit deadlines that crunch already tight schedules. 

…No malice here. Just the weight of obligation meeting the friction of reality.

 

All of it belongs in your threat model. Because all of it creates the conditions for risk.

 

 

Behavior is the fulcrum

Pressure alone doesn't cause incidents. It needs somewhere to go.

 

That somewhere is vulnerability. A gap. A weakness. Something that can be exploited — whether by a criminal or by circumstance.

 

Some vulnerabilities are technical. 

  • Unpatched systems. 
  • Misconfigured access. 
  • Weak authentication.

But many vulnerabilities are behavioral. 

  • Reusing passwords. 
  • Skipping verification. 
  • Sharing credentials to get things done faster. 

These aren't character flaws. They're rational responses to competing demands.

 

People optimize for what the system rewards. And the system doesn't always reward security.

 

When pressure meets vulnerability, likelihood increases. The bad thing becomes more probable. And the more valuable the asset at risk, the greater the potential impact if it happens.

 

This is risk: the possibility that pressure will find a gap and cause harm.

 

And here's the part most people don't see clearly: behavior sits at every point in that chain.

 

Behavior contributes to vulnerability. Behavior determines whether controls work. Behavior is what incidents trace back to. And behavior is what you can actually change.

  

 

Every control depends on behavior

Organizations don't just accept risk. They build defenses.

 

Policies, technologies, procedures, physical barriers. Administrative controls set the rules. Technical controls enforce them. Physical controls restrict access.

 

Together, they reduce vulnerability, lower likelihood, and limit impact.

 

But here's what traditional security often misses: every control depends on behavior to work.

 

A firewall depends on someone configuring it correctly. A policy depends on people following it. A badge system depends on people not holding the door open for strangers.

 

Technical, administrative, physical — it doesn't matter. If the behavior doesn't happen, the control doesn't work.

 

Behavior isn't one type of control. It's the foundation that every control rests on.

 

And if you're not designing for behavior — if you're not understanding what drives it, what blocks it, what changes it — then your controls are sitting on sand. And we all know how that goes. 

 

 

The model that learns

This isn't about blaming users. It's about designing systems, processes, and interventions that respect the pressures people face and make secure behavior the easy choice.

 

When you see risk as a system — pressure, behavior, vulnerability, likelihood, incident, impact — you stop asking "who clicked?" and start asking better questions:

  • Which behaviors matter most for this threat?
  • What's preventing those behaviors?
  • Which interventions will actually work?

Incidents trigger interventions. Risk outcomes inform your control environment. The system learns. Security becomes something that improves, not just a wall that holds or breaks.

 

People aren't external to the system. They're a core part of it. Their behavior materially shapes outcomes.

 

Recognizing this doesn't mean catching people out. It means understanding behavior well enough to change it.

 

That's what human risk management is.

 

This thinking shaped how we built SebDB — the ontology and data that maps behaviors, determinants, interventions, and outcomes. But you don't need a database to start.

 

You need to see the system clearly first.

 

What pressure is your team under right now? And which behaviors would reduce the most risk if they changed?

 

— Oz A

 

 

 

P.S. If this reframe landed, share it with your CISO. Want to be part of the group developing the behavioral security ontology under Project NEXUS? Click here and get involved.

 

We've also just released the Oh, Behave! The Cybersecurity Attitudes and Behaviors Report 2021-2025; it's five years of trend data on the widening gap between what people know and what they actually do. Get your copy here.

 

 

      Oz Alashe

      Oz Alashe

      CEO and Founder, CybSafe

      What did you think of today's email?

      Your feedback helps me create better emails for you!

      Was this email forwarded to you? Sign up here. 

        Loved it ❤️
        It was okay 👌
        It was terrible 👎
        whitelogo-newsletter

        CybSafe, Level 39, One Canada Square, Canary Wharf, London, United Kingdom, E14 5AB
        Website
        LinkedIn
        X

        contact@cybsafe.com

        +44 20 3909 6913

        Unsubscribe Manage Preferences

        About

        Solutions

        Resources

        SebDB community