You’ve done everything by the book. You follow ISO 27001, your risk assessments are meticulous, and you’ve deployed best-in-class technology. Yet the post incident report points to the same frustrating cause: “human error.” For decades, the human element has been treated as an unpredictable, chaotic variable that defies the structured processes security leaders rely on. It’s the ghost in our risk management machine. But what if we’ve been using the wrong formula all along?
A recent 2025 academic paper published in Electronics introduces a new methodology that challenges our core assumptions. It argues that the standard risk models used by countless organizations are fundamentally incomplete. By overlooking the human element, they create a dangerous blind spot. It’s time to stop blaming human error and start building a better process to manage human risk.
The Two Missing Variables in Your Risk Assessment
Every CISO is familiar with the classic risk formula: Risk = Likelihood × Impact. It’s the foundation of countless standards, from NIST to ISO. However, the new research argues this model is dangerously oversimplified. It’s missing two critical, quantifiable variables:
- The Adversary Profile(AP): The maturity, motivation, and technical skill of the attacker.
- The User Profile (UP): The maturity, security hygiene, and psychological traits of the internal user interacting with the system.
Ignoring these factors is like trying to calculate a storm’s impact without considering wind speed or the strength of the city’s buildings. You get a number, but it doesn’t reflect reality. This oversight is why purely technical defenses often fail to stop attacks that exploit human behavior.
Introducing HRM: A Process for Human-Centric Risk Management
To fix this broken model, the paper proposes a practical methodology called Human-Centric Risk Management (HRM). This isn’t another abstract framework to replace what you already have; it’s a powerful upgrade designed to integrate directly into your existing ISO 27001 processes. HRM’s core innovation is a new, more accurate risk formula that explicitly includes the human element:
Risk = Likelihood × Impact × Adversary Profile (AP) × 1/User Profile (UP)
By turning the “human factor” into measurable profiles, HRM transforms it from an unpredictable problem into a manageable process variable. This allows you to finally quantify, track, and mitigate human risk with the same rigor you apply to technical vulnerabilities.
Putting HRM into Practice: The Three Core Phases
The HRM methodology provides a structured, three-phase process that any organization can begin to implement.
Phase A – Cartography: Mapping the Human Element
Before you can assess risk, you must map the terrain. This phase goes beyond a simple asset inventory. The crucial step here is developing detailed, multi-dimensional profiles for both your users and potential adversaries.
- User Profiles (UP): Using anonymized questionnaires and workshops, this process assesses users based on personality traits (e.g., vigilance, curiosity), social characteristics, and technical skills. This creates a data-driven understanding of your team’s security maturity.
- Adversary Profiles (AP): Based on threat intelligence and historical data, this process profiles attackers on their skills, motivations, and psychological traits (e.g., persistence, conscientiousness).
Phase B – Risk Assessment: Applying the New Formula
With the human element now quantified, you can conduct a far more accurate risk assessment. By incorporating the AP and UP scores into the risk calculation, you get a result that reflects the real-world interplay between your technology, your people, and your attackers.
Phase C – Risk Treatment: Moving Beyond Technical Controls
This is where HRM truly shines for process-focused leaders. Traditional risk treatment plans often stop at technical controls. The HRM process formally integrates “social measures” as a core part of the solution. These are not just vague “awareness campaigns” but targeted interventions based on your User Profile data, including:
- Targeted Training & Behavioral Interventions: Specific training to address measured weaknesses.
- Co-Creation Workshops: A novel approach where users from all levels – from employees to CISOs to third-party suppliers – collaborate to design security controls. This participatory process fosters buy-in and ensures the solutions are practical and effective.
What This Means for Your Security Program
The Human-Centric Risk Management methodology represents a critical evolution in our field. It provides a structured process to finally get a handle on the industry’s most persistent and elusive threat.
For CISOs, the key takeaway is this: stop treating human error as an unavoidable cost of business. By adopting a process like HRM, you can transform the human element from your biggest liability into a measurable and defensible part of your security posture. It’s about moving from a culture of blame to a culture of data-driven, human-centric resilience.
For Further Reading:
This blog post is based on the insights presented in the academic paper: Kioskli, K., Seralidou, E., & Polemi, N. (2025). A Practical Human-Centric Risk Management (HRM) Methodology. Electronics, 14(3), 486. https://doi.org/10.3390/electronics14030486
