Human Risk Management (HRM)
The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.
Human Risk Management (HRM) is the cybersecurity category Gartner formally defined in its 2024 Market Guide for Security Behavior and Culture Programs (SBCP) — the umbrella under which it deprecated the term Security Awareness Computer-Based Training. HRM treats the workforce as a measurable, controllable risk surface, on the same footing as endpoints or identities, rather than as a population to be lectured at once a year.
The shift Gartner described is structural, not cosmetic. Where the legacy Security Awareness Training category measured completions and click rates, HRM measures behavior:
- Behavior observation, not course delivery. An HRM platform ingests signals from SaaS, identity, and email to detect risky behaviors as they happen — public file shares, OAuth consent grants, MFA push approvals, password reuse — instead of polling employees on what they remember.
- Moment-of-risk intervention. When risk is detected, an HRM platform fires a nudge in-channel (Slack, Teams), not an LMS reminder weeks later.
- Per-person risk score. Each employee carries a behavior-derived score that trends over time, exposed to the CISO and feeding adaptive controls.
- Evidence over completion. HRM produces behavioral evidence — observed-then-corrected behaviors, with timestamps — that maps to auditor requirements under NIS2, SOC 2 and GDPR Article 32.
HRM exists because the knowledge-behavior gap is real and measurable: trained employees still click, still grant OAuth, still reuse passwords. Verizon’s Data Breach Investigations Report has placed the human element in roughly 68-74% of breaches every year since 2020. Gartner’s guidance is that the answer is not more training content — it is observing and shaping behavior continuously, with the same operational discipline the security team applies to vulnerabilities or detections.
Engarde (engarde.cc) sits inside this category by design: every screen, every metric, and every artifact in the product exists to either observe a behavior or change one.
Related terms
- Security Awareness Training (SAT)The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.
- Knowledge-behavior gapThe empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.
- Behavioral KPIA risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- NudgeA small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.