How to Use KnowBe4 Human Risk Management Metrics to Prioritize Remediation and Target High‑Risk Users

Answer First

Utilize KnowBe4’s Human Risk Management (HRM) metrics to identify and rank individuals by their risk level. Focus your remediation efforts on a targeted group that significantly minimizes organizational exposure and automates training and enforcement strategies for high-risk users. Start by pinpointing high-risk signals, which include Phish-Prone Percentage (PPP), Human Risk Score (HRS), failed remediation attempts, and repeat offenders. Segment users by role, sensitivity of access, and then apply risk-based remediation playbooks that effectively combine targeted training, changes in simulated phishing cadence, policy coaching, and necessary technical controls. For more on how HRM fits into KnowBe4's overall programs, see The Role of Human Risk Management in KnowBe4's Training Programs.

Why This Matters

In today's fast-paced digital landscape, security programs often grapple with budget limitations and time constraints. HRM metrics transform behavioral data into actionable insights, allowing for effective remediation strategies that reduce breach likelihood. For example, organizations leveraging these metrics saw a 30% drop in successful phishing attempts within just three months of implementing targeted training initiatives, demonstrating the impact of an informed approach.

Key HRM Metrics to Use

1. Phish-Prone Percentage (PPP): The percentage of users who click on or submit credentials during simulated phishing tests. This metric helps isolate susceptible cohorts that should be prioritized for training.
2. Human Risk Score (HRS): A cumulative score that aggregates behavioral data, including phishing behavior and training completion rates. Sorting users based on HRS allows organizations to effectively rank individual risk.
3. Repeat Offender Count and Time-to-Remediate: Tracks who fails multiple tests and the duration they remain untrained.
4. Training Completion and Assessment Scores: Indicators of whether learning results in changes in behavior.
5. Risk Trends and Velocity: Metrics monitored over time help in identifying rising risk levels in specific teams or roles.

Step-by-step: Prioritizing Remediation

1. Define Tiered Risk Thresholds: Customize thresholds based on your organization’s operational realities. For instance:

   • High risk: PPP > 20% or HRS in top 10% — immediate remediation efforts.
   • Medium risk: PPP between 5-20% or rising HRS — scheduled remediation within 30 days.
   • Low risk: PPP < 5% and low HRS — routine awareness training. It’s crucial to calibrate these thresholds according to your specific industry and baseline data.

2. Combine Business Context with HRM Metrics: Overlap users’ business roles, access levels, and data sensitivity when prioritizing remediations. For example, a moderately phish-prone admin should take precedence over a high phish-prone intern without access to sensitive systems.

3. Use a Risk Matrix to Prioritize: Implement a risk matrix with the X-axis representing likelihood (PPP/HRS) and the Y-axis denoting impact (role sensitivity, access level). Begin by remediating users who fall into the highest likelihood and highest impact categories first.

4. Apply Remediation Tiers:

   • Immediate automated actions: Implement mandatory refresher training, increase simulated phishing attempts, and provide targeted email coaching.
   • Escalation actions: Notify managers, impose temporary access restrictions, or arrange one-on-one coaching for repeat offenders.
   • Technical enforcement: Tighten multi-factor authentication, implement conditional access, or mandate password resets for very high-risk accounts.

Targeting High-Risk Users Effectively

• Segment by Behavior and Business Risk: Leverage HRM dashboards to generate dynamic user groups, such as “Top 5% HRS + Admin Role.”
• Personalize Learning Paths: Tailor training for high-risk users, utilizing shorter micro-modules or interactive content for accelerated behavior change.
• Increase Simulation Cadence: Implement more frequent and diverse phishing simulations for high-risk groups to enhance learning and test resilience; for approaches and evidence of effectiveness, see What is KnowBe4's Approach to Phishing Simulation and Its Effectiveness?.
• Engage Management: Provide managers with concise action points and user risk trends, fostering a culture of responsibility and support for remediation efforts.

Automation and Integrations

• Leveraging Technology: Integrate HRM with Security Information and Event Management (SIEM) systems, identity platforms (such as Okta and Azure AD), and ticketing systems. Automated interventions can include ticket creation for remediation or triggering conditional access policies when HRS surpasses predetermined thresholds.
• API Utilization: Employ APIs to export HRM data for risk scoring in Governance, Risk, and Compliance (GRC) platforms or inform Security Operations Center (SOC) playbooks.
• Automate Reporting: Create weekly reports for leadership that display top risk cohorts and remediation progress, facilitating effective ROI tracking.

Measuring Success

• Track Friction Points: Observe if increased simulations correlate with reduced PPP and HRS metrics.
• Measure Time-to-Remediate: Successful programs typically experience a decrease in both time-to-remediate and repeat offense rates.
• Business KPIs: Monitor the rate of fewer security incidents attributed to human error and improvements in audit findings, which can indicate enhanced organizational resilience.

Practical Remediation Playbook (Example)

1. Detect: Identify users with top 5% HRS or PPP exceeding the established threshold.
2. Notify: Dispatch automated manager alerts and user remediation emails within 48 hours.
3. Train: Enroll identified users in an accelerated training program lasting 1-2 weeks, incorporating micro-learning and follow-up assessments.
4. Test: Increase phishing simulations for these users over the next 60-90 days, tracking their improvement.
5. Enforce: If there’s no progress after two cycles, escalate to access controls or personalized coaching sessions.
6. Report: Log all interventions and demonstrate trend lines to security leadership and HR.

Best Practices

• Start Simple: Begin with a conservative threshold and refine based on observed outcomes.
• Be Transparent: Clearly communicate the program's intent to employees and managers. Emphasize that remediation efforts are aimed at protection and skill development.
• Close the Feedback Loop: Use HRM metrics to assess the effectiveness of training content and adapt based on common pitfalls.
• Combine Behavioral and Technical Controls: While behavioral remediation can significantly lower risk, pair it with technical controls for high-impact accounts for comprehensive protection.

Conclusion

KnowBe4 HRM metrics empower organizations to transition from reactive training to proactive, risk-centric remediation strategies. By prioritizing user actions using a combination of PPP and HRS, overlaying business contexts, and automating remission workflows, organizations can effectively leverage their resources. This approach not only targets high-risk users but also establishes a defensible, data-driven framework for continuous improvement in managing human risk in cybersecurity.