Human Risk Management Solutions, Q3 2024

Human Risk Management Has Blossomed Into A Distinct And Expanding Market

For decades, firms relied on security awareness and training (SA&T) to address the human side of security breaches. Despite this, data breaches continued to rise, CISOs struggled to foster a positive security culture, and learners chafed at one-size-fits-all training. Our 2022 Forrester Wave™ evaluation of SA&T vendors found disruptions to the status quo, with solutions emerging to measure cybersecurity behaviors, quantify risks, and initiate risk-led interventions. We’ve since renamed the market and now call it human risk management (HRM) — solutions that manage and reduce cybersecurity risks posed by and to humans. Many CISOs have already embraced the shift; others are starting their transition to more advanced HRM capabilities. While most vendors grasp the need for disruption and are shifting their mindset, strategy, technology, and nomenclature, they’re approaching the transition with different levels of urgency and clarity.

As a result of these trends, human risk management solution customers should look for providers that:

1. Enable you to adopt HRM, not just buy into it. Thought leaders have convinced the industry of the error of its ways, vendors have produced new innovations — and the shiny new solution they’ve created looks and feels nothing like the SA&T of the past. As such, it’s out of reach for the average SA&T admin and for many vendor sales and customer teams, which take the easy way out and sell and support SA&T — it’s what they know. Many customers we speak with are unaware of the extent of their vendors’ HRM capabilities, let alone how to use them. Vendors’ ability to enable sales and customer teams to drive adoption of these capabilities will make or break HRM. Look for providers that can readily show you which behaviors and events you can measure based on your tech stack, how you can use human risk to adapt training and policies, and how their customer success teams can help you progress your HRM maturity.
2. Demonstrate that HRM capabilities are clearly and significantly different. Customers are concerned that HRM is just a new name for an old market. While Forrester’s definition of HRM reflects the significant change of mindset, strategy, process, and technology needed to tackle an old problem in a new world, not all vendors have read the memo. Ensure that the vendor offers actual HRM capabilities that go well beyond awareness and phishing simulations and that the solution identifies risky user behaviors and events via integrations with security technologies and responds to those behaviors and events with a broad set of targeted, real-time interventions based on a user’s human risk, such as training, nudging, updating technical policies, or sending alerts or workflows.
3. Have a comprehensive, accurate method to measure human risk. Knowledge, engagement, and click rates are metrics from a bygone era; they’re important but don’t measure risk exposure completely or accurately. They were used to adapt training in irrelevant, punitive ways — the worse learners did, the more training they got. Look for solutions that correctly define risk and evaluate the likelihood and impact of harm to your organization by considering four key points: individuals’ actual behaviors; identity; personal attack exposure; and security knowledge and sentiment. The more granular the data on each, the better you will be able to measure and manage risk. Granular solutions measure actual behaviors across security categories, derive identity insights such as seniority and access levels, and recognize personal attack exposures.

Evaluation Summary

The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an assessment of the top vendors in the market; it doesn’t represent the entire vendor landscape. You’ll find more information about this market in our report: The Human Risk Management Solutions Landscape, Q1 2024.

We intend this evaluation to be a starting point only and encourage clients to view product evaluations and adapt criteria weightings using the Excel-based vendor comparison tool (see Figures 1 and 2). Click the link at the beginning of this report on Forrester.com to download the tool.

Figure 1 - Forrester Wave™: Human Risk Management Solutions, Q3 2024

Figure 2 - Forrester Wave™: Human Risk Management Solutions Scorecard, Q3 2024

Vendor Offerings

Forrester evaluated the offerings listed below (see Figure 3).

Figure 3 - Evaluated Vendors And Product Information

Vendor Profiles

Our analysis uncovered the following strengths and weaknesses of individual vendors.

Leaders

1. Living Security punches above its weight to drive HRM adoption. Living Security has pioneered advancements in HRM while staying true to its SA&T roots. Its vision clearly states how HRM works with adjacent security categories, receiving risk data and providing actionable insight. The firm has demonstrated success in driving HRM adoption: It now generates one-third of its revenue via its Unify platform, which offers progressive HRM capabilities. It assumes that broad HRM coverage that is not limited to SA&T is appropriate for every customer; enables and rewards customer success teams for driving customer adoption and increasing maturity; and has a clear view of the behavioral change customers can achieve. Living Security has one of the clearest partnership strategies of the vendors in this evaluation, leading the cocreation of the vendor-independent HRM Maturity Model with competitors and practitioners.
   
   Living Security has a concise content library; reference customers appreciate its quality and creativity but critique it for being slow with content on emerging threats. It offers differentiated gamified content such as digital escape and cyber war rooms. Unify provides a comprehensive Human Risk Index that estimates the likelihood and impact of human behaviors on a firm’s overall security posture and is based on behaviors, external threats, and user access. It detects and measures more than 250 discrete user behaviors and events across key tech categories through more than 60 out-of-the-box integrations. It automates workflows to respond to risky events that assign training, nudges, or limited policy changes. The vendor measures security culture and can correlate responses to cultural dimensions with actual behavior. Living Security is ideal for firms that want a partner to move them to the future of HRM.
   
   View Living Security’s detailed scorecard.
2. CybSafe persists with a scientific, data-led vision for behavioral change. Early on, CybSafe made a clear case for the inadequacies of traditional SA&T and put forth an innovative data-driven, behavioral-led vision that the entire market now benefits from. But in 2024, this vision is no longer differentiating; it’s table stakes. CybSafe has persevered; while customers were slow to adopt advanced HRM capabilities, it now boasts a healthy pipeline for those use cases. With a roadmap guided by but not limited to client needs, the vendor continues to strike a balance between what its customers say they want and what problems they actually need to solve. CybSafe has SebDB, the world’s largest public crowdsourced security behavior database, and led the IMPACT conference by partnering with the National Cybersecurity Alliance, MITRE, and the US National Institute of Standards and Technology.
   
   CybSafe measures eight human risk outcomes, maps them to SebDB behaviors, and rates their likelihood and impact, which can be aligned to customers’ organizational risk frameworks. It can detect and measure more than 100 optimal and suboptimal security behaviors by integrating with widely used security solutions. The firm measures individuals’ attack scores via integrations with Proofpoint’s Very Attacked Person data and Have I Been Pwned. It allows the escalation of risky behaviors and events and intervention by training or policy adjustment. CybSafe has one of the most compelling cultural measurement tools of the evaluated vendors; delighted reference customers confirm this. Support is limited to the UK and North America. CybSafe is ideal for firms that are serious about their security culture and about data-led behavioral change.
   
   View CybSafe’s detailed scorecard.

Strong Performers

1. KnowBe4 is bullish on SA&T disruption and HRM adoption. While KnowBe4 acquired HRM capabilities via its 2022 acquisition of Security Advisor, it has not used its size to disrupt SA&T, and customer HRM adoption has been lackluster. The vendor has finally begun to act on its plans to lead the disruption of traditional SA&T, enabled by a solid AI strategy, the acquisition of email security vendor Egress, the embrace of HRM nomenclature, and a redesign of customer and sales functions to drive the adoption of disruptive features. Central to its vision is Artificial Intelligence Defense Agents (AIDA), an umbrella term for AI initiatives focused on legacy needs like training automation, phishing simulations, and quizzes. Its plans for risk scoring are the opportunity to elevate its HRM capability. KnowBe4 has a comprehensive and selective partnership program and sells to and supports customers worldwide.
   
   KnowBe4 builds on its content creation investment by continuously growing and refreshing its content library. Eight content centers of excellence across three continents ensure that content is globally appropriate. The vendor calculates risk based on knowledge, training, job function, personal breach data, and phishing behavior. It integrates with more than 30 security vendors for secure behavior and event data, although just 10% of customers have adopted the functionality for identifying and responding to risky behavior. KnowBe4 does offer some privacy controls, but it’s not a systematic consideration in product development. Reference customers cite the entertaining educational content and phishing simulations as key reasons for selecting and retaining the vendor. Firms seeking tried and tested SA&T by a large and respected vendor that offers established, ready-to-adopt HRM capabilities should look to KnowBe4.
   
   View KnowBe4’s detailed scorecard.
2. SoSafe prioritizes Europe, privacy, and psychology and is catching up on HRM vision. Founded in Germany in 2018 by a psychologist, SoSafe’s vision is embodied in The Human Risk OS, which aims to engage users by using positive psychology to reduce friction and drive visibility. It invests heavily in R&D and has a solid innovation process. Given its European roots, the vendor adheres to strict privacy-by-design principles and controls. SoSafe’s roadmap for 2024 includes innovative items its competitors have addressed and plans to make strategic moves in behavioral detection, interventions, and forecasting in 2025. It allocates half of its development efforts to advanced HRM features. In spite of its vision, just 10% of customers have adopted progressive HRM capabilities, a gap reflected in the vendor’s outdated nomenclature — it still sells “awareness packages” and holds a Human Firewall Conference.
   
   SoSafe’s content is created by a small team of experts with behavioral psychology, social science, and education backgrounds to prioritize positivity and empowerment. It quantifies risk based on user knowledge, a limited set of security behaviors, identity, cybersecurity attitudes, and emotions. The vendor currently detects 13 cybersecurity behaviors and aims to integrate with 80% of its customers’ tech. Reference customers expressed excitement about upcoming integrations. SoSafe uses generative AI for standard content creation and attack simulation use cases and integrates its chatbot Sofie into the platform to answer employee security queries in real time. Organizations that have to balance privacy with innovation should look to SoSafe.
   
   View SoSafe’s detailed scorecard.
3. Mimecast took a fast route to market by acquiring Elevate but must still prove itself. After initially resisting HRM, Mimecast acquired Elevate Security in January 2024, bringing much-needed vision and the technology to execute it. The acquisition combines Elevate’s data-driven human risk insight and intervention capabilities with Mimecast’s security technology heritage. The vendor expresses its HRM commitment in its goal to enable human risk scoring for all of its 45,000 customers and plans to integrate non-Mimecast security products for risk signals. It retained Elevate execs as part of its product leadership team; senior leaders are invested in and express support for the new vision. While these moves have allowed Mimecast to catch up to the rest of the market, it must still differentiate itself. The vendor’s roadmap is thorough and agile; while it’s clear on driving adoption, it’s less clear on HRM capability development.
   
   Mimecast will continue to release well-produced videos and is finding ways to evolve its content. This is much needed, as some reference customers were unenthusiastic about content coverage and style. Its human risk score considers employees’ security behaviors, identity, and how frequently they get attacked; risk scales align with vulnerability management and common vulnerability scores. The vendor enables real-time nudges, escalation of risky events, and policy interventions, although interventions are limited to identity updates. The personalized monthly scorecard it shares with employees is differentiated but doesn’t allow them to adjust training. Firms with a strong behavioral change drive that want to move beyond SA&T should consider Mimecast.
   
   View Mimecast’s detailed scorecard.
4. Proofpoint has strong individual capabilities but has yet to develop holistic HRM. With a heritage in email security, data loss prevention, and SA&T, Proofpoint’s vision since 2018 has been one of human-centric security to protect people and defend data. It realizes this vision via a suite of tools that separately identify risky behavior and events, quantify and visualize the human risk, and intervene based on the risk. Proofpoint’s success in managing human risk depends on a customer’s licensing model — the more Proofpoint tools it has, the more visibility it gets into risky events and behaviors. For now, these events and behaviors are limited mostly to data collected by Proofpoint. Its strategy to detect, intervene, change behavior, and evaluate aims to unify the vendor’s disparate human risk management capabilities.
   
   Proofpoint’s People Risk Explorer provides visibility into the Very Attacked Person based on the attack method and the person’s skills and access levels. To measure security behaviors, the vendor incorporates integrations across its own products, Microsoft Defender, and some identity solutions. It recently released an automated, dynamic group capability that syncs high-risk groups in Targeted Attack Prevention with the awareness platform and provides them elevated training. However, reference customers were not aware of the vendor’s adaptive learning capabilities. The vendor offers a 5-minute security culture survey that provides resources to interpret survey results and gives some general recommendations. Proofpoint customers who are ready to adopt multiple solutions from the vendor on a journey toward HRM should look no further.
   
   View Proofpoint’s detailed scorecard.

Contenders

1. Hoxhunt focuses on phishing-related risks and training instead of HRM — for now. Hoxhunt’s vision is to coach people based on their strengths and weaknesses across a broader set of security behaviors. To realize its vision, it has committed substantial budget to a five-year R&D plan to expedite AI investment and enhance threat detection and risk-driven personalized training to help it catch up to the market. The vendor plans to expand its ability to detect and respond to behaviors unrelated to social engineering to attain full suite of HRM capabilities. Its development approach is unique: Hoxhunt works with customers to create products. Product managers make more than 100 customer calls a year, granting contributing customers early access to enhancements. Its partner strategy focuses on a small number of partnerships that center on product cocreation and revenue, and not yet on broad HRM integrations.
   
   Hoxhunt’s small content library consists of microlearning modules and phishing simulations designed to be dispensed frequently in a gamified fashion to reduce learner friction. Customers can use its AI editor to generate their own content. Reference customers claimed that content is effective, but it’s not differentiated and doesn’t cater to all learning needs. Hoxhunt calculates a security score (human risk score) based on inputs such as social-engineering-related behaviors, competence, engagement, and attack susceptibility. Its training algorithm adjusts topics and difficulty to a person’s risk profile, location, language, and identity. It offers automated behavior-based training, delivering short training to users in real time via multiple channels at the point of risky behavior, although these capabilities are limited. Firms looking to partner with a vendor that has engaging phishing simulations and is expanding into HRM should evaluate Hoxhunt.
   
   View Hoxhunt’s detailed scorecard.
2. Infosec Institute focuses on traditional SA&T customers, delaying HRM adoption. Infosec Institute plans to delay completely transforming its platform into HRM until most enterprises start to embrace and adopt HRM, making it a follower rather than a leader. Its vision is to build HRM capabilities to bolster its cybersecurity skills and training platform, enabling security teams to adapt policies and technologies to humans. Infosec Institute has created a portfolio product strategy role and plans to use the data science team of parent company Cengage Group, but its innovation lags that of other evaluated vendors. The vendor plans to use Cengage’s partnership framework to bolster its integration partnerships. It has an internal alliance with National Geographic Learning, which collaborates with ministries of education worldwide, to provide content for various global cybersecurity curricula, but lags in community support for advancing HRM.
   
   Infosec Institute bases its learner score on outcomes of training and phishing simulations, not actual behaviors or events. It enables the creation of dynamic groups and can automatically deliver personalized training based on admin-defined criteria instead of real-time behaviors. It has yet to build integrations to detect security behaviors or personal attack exposures, and its human risk score is limited to learning and phishing simulations. Reference customers are satisfied with the vendor’s thorough solution support. Customer success managers are clients’ primary point of contact and act as client advocates but don’t help them advance their HRM maturity. Organizations that are not yet ready for HRM, and want solid SA&T capabilities and a dependable partner should consider Infosec Institute.
   
   View Infosec Institute’s detailed scorecard.

Challengers

1. NINJIO has engaging content but takes a wait-and-see approach to HRM. NINJIO’s vision is to make everyone unhackable; it believes that engaging content drives behavioral change, advocacy, culture, and action, a position that does not align with the future of HRMs. NINJIO views personalization as a key part of engagement and acquired Dcoya to support its personalization engine and content. Its efforts to balance delivering a pragmatic, customer-focused product means that its vision and roadmap are limited to current and legacy market needs rather than taking on future market needs. NINJIO partnered with the US Federal Bureau of Investigation to educate society, providing unconditional distribution of its content on emerging threats such as pig butchering scams.
   
   NINJIO invests in highly differentiated animated and illustrated content, categorized to align with seven primal emotions. Reference customers are satisfied with the style and quality of content, although it has a smaller content library than its competitors. Its phishing simulation tool automatically analyzes human risk by attack vector, difficulty, and primal emotion, delivering content to discover each user’s breaking point and adapt accordingly. The vendor’s integrations and ability to identify behaviors unrelated to phishing are limited and do not trigger policy interventions. NINJIO does not offer a specific culture evaluation, believing that culture is built through engaging content and phishing programs. Organizations that want to engage learners with excellent content but have other HRM plans should seek NINJIO.
   
   View NINJIO’s detailed scorecard.

Evaluation Overview

We grouped our evaluation criteria into three high-level categories:

1. Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current offering.
2. Strategy. Placement on the horizontal axis indicates the strength of each vendor’s strategy, including elements such as vision and innovation.
3. Market presence. The size of each vendor’s marker on the graphic reflects Forrester’s assessment of its market presence.

Vendor Inclusion Criteria

Each of the vendors we included in this assessment has:

1. A global presence and customer base. We included vendors that earn no more than 85% of their HRM revenue on one continent or earn revenue on at least four continents.
2. Broad human risk management coverage. Each participant has or plans to have native functionality for risk-driven policy response; risky behavior identification using external tools; behavioral change and risk metrics; and human risk feeds to other security and nonsecurity teams and technologies.
3. A significant number of direct enterprise clients. A significant percentage of each vendor’s direct clients are enterprises (companies with 1,000 or more employees).
4. Minimum revenue of US$10 million. Each vendor earns at least $10 million per year from its HRM offering.
5. Significant interest from Forrester customers. Each vendor garners significant interest from our clients in the form of inquiries, advisories, interactions at events, and other conversations.

Supplemental Material

Online Resource

We publish all our Forrester Wave scores and weightings in an Excel file that provides detailed product evaluations and customizable rankings; download this tool by clicking the link at the beginning of this report on Forrester.com. We intend these scores and default weightings to serve only as a starting point and encourage readers to adapt the weightings to fit their individual needs.

The Forrester Wave Methodology

A Forrester Wave is a guide for buyers considering their purchasing options in a technology marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™ Methodology to evaluate participating vendors.

In our review, we conduct primary research to develop a list of vendors to consider for the evaluation. From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather details of product and strategy through a detailed questionnaire, demos/briefings, and customer reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in the marketplace, to score vendors, using a relative rating system that compares each vendor against the others in the evaluation.

We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester Wave report. We evaluated the vendors participating in this Forrester Wave using materials they provided to us by June 11, 2024, and did not allow additional information after that point. We encourage readers to evaluate how the market and vendor offerings change over time.

In accordance with our vendor review policy, Forrester asks vendors to review our findings prior to publishing to check for accuracy. Vendors marked as nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but declined to participate in or contributed only partially to the evaluation. We score these vendors in accordance with our vendor participation policy and publish their positioning along with those of the participating vendors.

Integrity Policy

We conduct all our research, including Forrester Wave evaluations, in accordance with the integrity policy posted on our website.