In the face of rising cyber risks, businesses often turn to new technological tools. However, evidence increasingly suggests that the true battleground lies not within IT systems, but among the individuals using this technology. The 2025 Verizon Data Breach Investigations Report indicates that nearly 60% of breaches involve human factors such as manipulation, mistakes, or misuse. While technology is essential, it falls short if users can still be deceived.
The gap between knowledge and action under pressure is widening, exacerbated by AI-enhanced social engineering that delivers flawless emails, credible voices, and convincing video calls at scale. A notable incident in Hong Kong saw a finance worker duped into transferring over $25 million due to a deepfake video conference. The criminals exploited routine human behavior rather than breaking encryption.
Awareness training alone has proven insufficient. Many organizations conduct simulations and annual training, but breaches continue due to behavior in critical moments. This is where human risk analytics can make a difference.
Human risk analytics involves the continuous assessment of how individuals interact with communications and systems, using these patterns to predict and mitigate risk. It shifts the focus from mere test passing to analyzing typical behaviors and identifying risky deviations.
Practical applications include detecting employees who frequently click on high-risk links, flagging anomalies like sudden payment instructions or unusual communication patterns, and correlating identity signals with risky actions. These clues, when combined, create a comprehensive risk profile for individuals and messages, enabling timely interventions.
For example, if a junior finance analyst receives a suspicious payment request from a “CEO,” human risk analytics might flag the message based on several factors, such as new bank details, unusual timing, and atypical communication. Interventions could include temporarily holding payments, prompting verification through secure channels, and requiring additional authentication.
Successful programs in the Asia-Pacific region adhere to five principles: focusing on the human layer, personalizing risk without stigmatizing, making interventions immediate, tracking outcomes rather than effort, and building trust through transparency.
Ultimately, this is about integrating technology with human behavior. While controls like email authentication and identity security remain important, the key is ensuring that employees pause and verify before making critical decisions. In an era of AI-generated deception, optimizing for human behavior is crucial for preventing the next cybersecurity breach.
