This assessment was designed to help CISO's and Security Leaders get a sense of their fragility when it comes to Human Risk. It has 5 pillars and should only take 5-10 minutes to complete.
Answer honestly for the most accurate assessment. Please answer each statement from 1 to 5 where 1 is "Not true at all" and 5 is "Consistently true and measured".
When you finish, we will calculate your Human Fragility Index and email a consultative summary you can use in navigating security choices.
Remember every decision starts with a human.
We only accept corporate email addresses. Personal and disposable providers such as Gmail or ProtonMail are not accepted.
Section 1: Human behavior and culture
How your people think, feel, and act around security in the flow of real work.
Our employees follow secure practices in everyday tasks, such as verifying unexpected requests, reporting suspicious messages, and properly handling sensitive data.
Employees can recognize manipulation tactics such as urgency, authority pressure, guilt, fear, or reward based pretexts and can explain how attackers use these tactics in real scenarios.
Teams are comfortable sharing near misses or errors in order to learn from them, and discussions focus on improvement rather than punishment.
Supervisors regularly acknowledge secure actions, remind teams of good practices during routine work, and correct insecure behavior in a constructive way.
Employees across departments see security as part of their responsibility and talk about it as a normal part of doing business, rather than something only IT handles.
Section 2: Strategic governance and alignment
How leadership, strategy, and risk ownership connect to the human layer.
Leadership consistently supports human risk reduction efforts by providing resources, setting expectations, participating in training, and reinforcing secure behavior as part of the organization's culture.
Our security program is designed around how people actually behave, including cognitive shortcuts, workload pressures, communication habits, and common decision making patterns.
Executives review human factor risks in formal meetings, receive metrics on behavior trends, and make decisions based on the human element of security.
Policies and controls are evaluated for how people think, behave, communicate, and make mistakes, ensuring decisions align with real human behavior patterns.
Behavioral metrics, reporting rates, phishing data, and incident patterns are tracked, analyzed, and prioritized with the same rigor as technical vulnerabilities.
Section 3: Operational reality and controls
How controls actually work in the messy real world, not on paper.
When deadlines, stress, or workload increase, employees still verify requests, handle data safely, and avoid shortcuts that create risk.
Security tools and workflows are designed to be efficient and intuitive so employees can stay secure without losing time or creating workarounds.
Employees know how and where to report suspicious activity, and reports are submitted promptly with enough detail for security teams to act.
Employees can spot unusual requests, phishing indicators, suspicious files, policy violations, or social engineering attempts and feel capable of taking the right steps.
Employees can quickly find clear, concise instructions for secure behavior without having to search through long or complex documents.
Section 4: Delivery and sustainment of cyber projects
How new security programs are implemented and maintained over time.
Before implementing new controls, teams evaluate how the change will affect behavior, cognitive load, workflows, and user decision making.
Rollouts consider training, user adoption challenges, change fatigue, and communication strategies so employees adopt tools securely.
Updates to policies, tools, or procedures are communicated in simple language with clear reasons, timelines, and actionable steps for employees.
Employees get hands on support, reminders, and reinforcement to help them adopt secure habits and integrate them into daily work.
The organization measures whether new behaviors persist over time, not just whether training sessions were completed.
Section 5: Testing and training program
How the organization measures and develops human resilience.
Education includes live examples, psychological tactics, and attack patterns taken from real world threat activity, not generic or outdated scenarios.
Assessments track reporting rates, response behavior, context analysis, and decision making steps, not just whether someone clicked.
Behavioral indicators such as reporting speed, verification habits, and secure decision making show consistent improvement after training.
Employees in roles such as finance, HR, executives, and access privileged users receive additional, specialized human risk training.
Security evaluations include phishing, smishing, vishing, pretext calls, physical social engineering, and behavioral assessments to get a complete risk picture.
Pillar breakdown
A copy of these results and a deeper analysis will be emailed to you shortly.
