Are you considering shifting your focus from building a security awareness program to a Human Risk Management program? In one of our latest blogs, we covered the basics of Human Risk Management (HRM) by identifying the difference between Human Risk Management and security awareness.

That’s the perfect base for understanding why HRM should be on your radar and why it’s becoming a trend in cyber security. If you’re done with your research and are ready to implement a full HRM program, this checklist is for you. In this blog, we will tell you exactly what you need to have a successful Human Risk Management program and implement it before Cyber Security Awareness Month in the fall. 

The Ultimate HRM Checklist 

1. Security awareness

Don’t worry, the program you’ve been building for the past months or maybe even years, isn’t a complete waste. Awareness is still a huge part of Human Risk Management. The only difference is that security awareness is only one part of Human Risk Management as HRM believes that even if all employees are aware, human error will still occur. 

A picture of a human risk management program template

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

So, although security awareness is important, it shouldn’t be all.

Your security awareness training should be built off of data and proof that you gather from your employees on what their biggest weaknesses are to attackers. So, before implementing any training, ensure you collect data to find what tools your team members need. 

Customized Interactive Training 

Once you’ve identified the vulnerabilities of your employees, tailor your training so it educates and trains your employees to protect your organization against any threats. Training should look different for almost every employee. Use customized training platforms, like Click Armor, to create divided training groups based on their department, security levels, seniority levels, and remote work ability. 

A remote work cyber security training simulation

Click Armor allows you to customize training based on the needs of each employee’s level, department, and access. Contact us to try our customized groups training. 


Seminars and panels are a great way to spread wide awareness to your organization. Although it may seem far away, Cyber Security Awareness Month is coming up and planning panels, podcasts, or competitions during this themed month is a great way to kickstart or introduce any new program. If you can, plan to launch your new Human Risk Management program around this time so you can reach as many eyes as possible. 

Tangible items

Also mentioned in our CSAF Live Panel on Cyber Security Awareness Month, sometimes posters, Zoom backgrounds, or desktop screensavers are the simplest way to get your employees’ attention. Consider supplying tangible items that will grab people’s attention and remind them about cyber security risks. 

2. Dark web monitoring

One of the most effective ways to identify and correct human risk is to monitor the dark web for any signs of compromised credentials or sensitive data being sold. The dark web is a part of the internet that’s not indexed by search engines and is often used by cybercriminals to sell stolen data.

Monitoring the dark web is a proactive approach that helps you identify any of your compromised credentials before they can be used to gain access to your organization’s data. To take this step you’ll need to invest in specialized software or partner with a company that offers dark web monitoring services. The top companies that offer Dark Web monitoring are:

The key to dark web monitoring in the context of Human Risk Management is to put in place a process that will occur if data is recovered from the dark web. Consider: Who will respond and take action if data is found? How can you work backwards to find where this information came from? What will happen once you discover the source of breached information? 

By implementing this monitoring process you align your organization with the HRM belief that human error is inevitable and your organization should work together to be prepared if something happens. 

3. Policy Management

Policies are an essential component of any cyber security program. They provide guidelines for employees on how to handle sensitive data, access control, and other security-related issues. Your policies should cover a wide range of topics including: 

  • Awareness Training: What is required of each different type of employee? What happens if they fail?
  • Password Management: What password managers are used? How often should passwords be changed? How are passwords shared?
  • Data Handling and Classifying: How is data classified? Stored? Shared?
  • Remote Work & Bring Your Own Device: What is allowed in the context of remote working? What do the rules look like for using personal devices?
  • Incident Reporting & Response: How does someone report suspicious activity? What happens when they do? Is there punishment for breaking policies resulting in breaches?
  • Third-Party Risk Management: What can third parties access? How do you give access?

Most importantly, your HRM program should identify how often you will reassess these policies and how employees will be notified when new policies are put in place or old policies are changed. Consider having a consistent channel for security updates whether it be emails, Slack, or a monthly update seminar. 

4. Firewalls, anti-virus software, & other technologies

In addition to the strategies mentioned above, it’s essential to have the right technologies in place to protect your organization from cyber threats. Firewalls can help prevent unauthorized access to your organization’s network. Implementing anti-virus software is a great call for taking action post-breach as it will help you detect and remove malware.

Other technologies that can help manage human risk include Data Loss Prevention Systems (DLP), Multi-Factor Authentication (MFA), Web Filtering & Web Control, and Encryption Technologies. 

5. Human Risk Monitoring

Lastly, it’s essential to continuously monitor human risk within your organization. This includes monitoring employee behaviour, network activity, and other security-related metrics that can help identify potential issues before they become serious problems.

This means having a process where you are continuously monitoring the behaviours of employees (What new projects do they have? What new tasks do they have? What new platforms are they then using?), the innovation of technology outside your organization (What new technologies have arrived and could add threats to your business?), and the trends of attackers (What companies similar to us have been attacked? How?). This essential step will ensure your Human Risk Management program is complete with no loopholes for attackers to find. 

Building a strong human risk management program is critical to protecting your organization from cyber threats. By increasing security awareness, monitoring the dark web, managing policies effectively, having the right technologies in place, and continuously monitoring human risk, your organization can better protect itself from cyber-attacks. Remember that humans are the weakest and strongest link in your cyber security defenses, so it’s essential to invest in a robust human risk management program to mitigate the risks associated with human behaviour.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.