how to implement a human risk program90 day security awareness planhuman risk management first steps

    July 15, 2026 · 7 min read · By Fensivo Team

    How to build a human risk program in 90 days

    Leer en español

    The conclusion: the first value does not come from training, it comes from knowing who is already exposed

    A human risk program can be stood up in 90 days, and the first step is not picking a course: it is measuring which of your company's credentials are already circulating in public breach data. That inventory takes fifteen days, asks nothing of anyone, and produces concrete actions in week one, while a training plan takes months to yield its first indicator and that indicator rarely says anything about real risk.

    The rest of the calendar falls into place once you accept that premise. Days 1 to 15, credential exposure. Days 16 to 45, the first behavior baseline under a simulated attack. Days 46 to 75, training triggered by failure. Days 76 to 90, the retest and the first report the board actually understands. Each stretch delivers something you can show, and none of them depends on the previous one having gone perfectly.

    Days 1 to 15: connect, inventory and measure credential exposure

    The technical start is short, because most of it comes down to an OAuth connection to the corporate mail directory and an inventory of people, roles and departments. What eats these two weeks is not installation, it is the internal conversation: who is in scope, which areas carry the most exposure, and who receives the first report.

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment

    Running alongside it is the one measurement that waits on nobody: checking whether those people's credentials already appear in public breach databases. It is immediately actionable, because every finding turns into an action with a deadline (change the password, review active sessions, revoke access), and because it tells you from day one who is already on an attacker's radar.

    The urgency of this stretch has backing. Mandiant, in its M-Trends 2026 report, documents that the handoff time between initial access and the secondary actor who executes the attack collapsed from more than 8 hours in 2022 to 22 seconds in 2025. Translated into a calendar decision: the window between a credential being exposed and someone using it has closed so far that finding out next quarter is finding out late. That is why this stretch goes first, not last, where it usually sits in plans that start with content.

    Days 16 to 45: the first behavior baseline under a simulated attack

    With exposure measured, the next month answers a different question: how do these people behave when they are under pressure. Not how much they know, not whether they passed something. How they act.

    You build that baseline with realistic phishing simulations, and realistic here means two things. The lure has to relate to the person's actual work, their role and the platforms the company genuinely uses, instead of the generic email everyone spots. And it has to arrive unannounced, because a pre-announced drill measures something else entirely. The channel is chosen by where the problem comes in: CISA holds that more than 90 percent of successful cyberattacks begin with a phishing email, so email is the natural starting point for any serious measurement, and the channels that pile on afterward (voice, text messages, QR codes) widen the surface without displacing it.

    By the end of this stretch you should have three things: who fell, what kind of pretext each person fell for, and which areas concentrate the risk. That is the material you work with for the rest of the quarter. One unpopular piece of advice: do not circulate this baseline as if it were a performance review. If the first measurement reads as a trap for naming names, the program loses the cooperation it needs over the next two months. If you want the wider frame for choosing what to measure, we lay it out in how to measure if security training works.

    Days 46 to 75: training at the moment of failure, not on the calendar

    This is where you find out whether the program changes anything or just generates activity. The difference is timing.

    Calendar-scheduled training competes with the person's job and loses: it lands on some random Tuesday, unconnected to anything that happened to them, and gets dispatched in two minutes with the video playing in the background. Training triggered by failure lands at the one moment the person has a real question (why did I fall for that), lasts as long as the attention of someone who is mid-task, and covers the exact attack they fell for, not phishing in general. The principle behind microlearning applies here: specific, short and glued to the mistake.

    It is worth being honest about what this stretch produces, because it is where most programs declare victory early. There is peer-reviewed evidence (Ho et al., IEEE S&P 2025; Lain et al., IEEE S&P 2022) that completing training does not on its own predict a reduction in real-world failures. Which means that on day 75 you do not have proof of anything yet. You have remediation delivered, which is necessary, but it is not evidence. The evidence arrives in the next stretch.

    Days 76 to 90: the retest and the first report the board understands

    A retest means putting the person who failed back under the same category and difficulty of attack three weeks later, with a different template and a different context. The distinction matters: resending the same simulation only proves they remembered that email. Changing the piece while keeping the instinct it exploits (authority, urgency, a financial pretext) proves whether they learned the lesson.

    That result is what turns the final stretch into a defensible report. The board does not need how many people completed a module; it needs to know how many of those who failed held their ground when the trap was set again, and which ones are still at elevated risk. That is the metric that survives the uncomfortable question in committee, and it sits one step above the click rate and the report rate, as we argue in report rate, click rate and retest.

    It is worth anchoring the economic argument with a sober number rather than a promise. The IBM Cost of a Data Breach 2025 report puts the global average cost of a data breach at 4.4 million dollars, a 9 percent drop from the previous year, driven by faster identification and containment. It is an honest data point in both directions: the cost fell, yes, but it fell precisely because of the same thing a human risk program accelerates, which is shortening the time between something happening and somebody noticing.

    Common mistakes that ruin the first 90 days

    Starting with content is the first mistake. Buying the course catalog and leaving exposure measurement for later inverts the order: a lot of material gets delivered before anyone knows which risk is being addressed.

    Treating the baseline as a verdict comes second. A high failure rate in the first simulation is not a problem with the program, it is its input. Cisco's 90-5-5 framework, which estimates that around 90 percent of breaches involve a human factor, describes a risk surface, not a list of culprits. People are the target of these attacks, not the weak link, and a program that opens by assigning blame loses voluntary reporting, the cheapest signal a company has.

    The announced drill is the third: warning the team that a campaign is coming lowers their anxiety and cancels the measurement at the same time.

    Promising a number at day 90 is the fourth mistake. A quarter is enough to complete one cycle (exposure, baseline, remediation and a first validation), not to declare a sustained reduction in risk. Promising an improvement figure in committee and failing to hold it in the second quarter costs more than being cautious up front.

    And fifth, leaving the program dependent on someone pushing it by hand every month. If sending the next simulation, assigning the microlearning and running the retest all require a person to remember, the program lasts exactly as long as that person's availability.

    Fensivo is built around this order. It continuously monitors whether employee credentials show up in breaches and fires off an action with a deadline, sends phishing simulations personalized by role and by the company's real context, delivers microlearning within minutes when someone falls, and validates weeks later through a retest that behavior actually changed. That is Human Risk Management (HRM) running as a closed loop, focused on companies of 25 to 500 employees. You can see how it applies to each scenario in use cases.

    If you were asked tomorrow to show how many of the people who failed your last drill held their ground when you tested them again, would you have the number, or would you have the course completion rate?

    Human risk is managed automatically.

    Turn human risk into your first line of defense.

    Book a demo

    Free demo · 30 minutes · No commitment