Security awareness training has come a long way from its origins as a compliance checkbox. Today, it’s evolving into what is called human risk management. KnowBe4 is embedding behavioral science, real-time coaching, and artificial intelligence into its HRM platform.
These steps reflect a growing understanding in the cybersecurity world: technology alone isn’t enough. Employees remain the primary target of cyberattacks, so changing their behavior is key to reducing organizational risk. As Martin Kraemer, Security Awareness Advocate at KnowBe4, puts it in an interview with Techzine: “We were one of the first training providers to focus on behavior. It’s not just about awareness, it’s about action.”
From compliance to human risk management
The transformation begins with a fundamental rethinking of what security training should achieve. Traditional programs were designed to meet compliance requirements such as PCI DSS, HIPAA, or ISO standards. They often involved a single annual training session and a follow-up quiz. “If you actually train your employees once a year, that’s as good as not training them at all,” says Kraemer.
This outdated approach ignores what behavioral psychology has long recognized: people forget. The Ebbinghaus forgetting curve indicates that within 48 hours, most of us forget approximately 70% of newly learned information. Worse, there’s a persistent gap between what people know and how they act under pressure. “Just because someone understands that clicking suspicious links is risky doesn’t mean they won’t do it when stressed or distracted,” Kraemer explains.
That insight has driven KnowBe4’s evolution into what the industry increasingly calls a “human risk management” platform. In short, it is a system that doesn’t just train, but actively helps reduce risk by shaping behavior over time.
One of the most impactful developments in this shift is KnowBe4’s real-time coaching capability. Instead of delivering generic training at scheduled intervals, the platform uses events and incidents from an organization’s security stack to provide training interventions when risky actions are detected by a third-party. Whether they’re clicking on a suspicious link, trying to upload a file to an unauthorized platform, or visiting a flagged website, the system delivers contextual guidance exactly when it’s needed.
Kraemer explains that KnowBe4 provides personally customized and relevant coaching based on live behavior. This just-in-time training is made possible by connecting third-party security systems which organizations already have in place, e.g., to prevent accidental data sharing, malware attacks, or visiting insecure websites. These integrations allow KnowBe4 to react risky behaviors and deliver feedback in context, reducing the likelihood of small mistakes turning into big incidents.
By expanding its ability to integrate with the broader cybersecurity stack, the platform can now sync with endpoint detection tools. This connectivity enables a dynamic feedback loop. When an employee triggers a technical alert, such as inadvertently trying to share sensitive information with an outside email address, the system responds by adjusting their risk profile and delivering targeted coaching. By linking human behavior to real-time technical events, KnowBe4 aims to create a comprehensive picture of the cyber risk, Kraemer explains. The tight integration helps security teams prioritize threats and reduce alert fatigue. It also shifts the focus from remediation to prevention, addressing risky behaviors before they escalate into breaches.
Meeting employees where they are
Human risk management also acknowledges that not all employees are the same. “You can’t treat a finance executive the same way as a warehouse worker when it comes to cybersecurity training,” Kraemer explains. People have different roles, responsibilities, and exposure levels. A one-size-fits-all approach just doesn’t work.
In one illustrative case, a warehouse employee repeatedly failed phishing simulations despite multiple rounds of training. The solution wasn’t more training. It was disabling links in emails entirely for that employee, whose role didn’t require clicking them. It’s a perfect example of combining people, processes, and technology to solve real-world security challenges pragmatically.
Effective human risk management allows for this kind of flexibility. Training campaigns can be customized by role, department, or even by previous simulation results. It’s about delivering the right content to the right person at the right time.
To further personalize training and improve policy compliance, KnowBe4 has embraced AI-driven capabilities. One innovation is the use of AI agents to generate tailored phishing simulations. These simulations adapt to industry context, job function, and geographic region to create more realistic and relevant training exercises.
Kraemer points out that there is way more use for AI in human risk management. “Does clicking ‘I have read and understood’ under a policy document mean the employee really understands it? Very likely they have not.” To address this, the platform now includes automated quiz generation based on uploaded policies. The AI reads the document, extracts key concepts, and formulates questions that test actual comprehension, not just acknowledgment.
Measuring what matters
Traditionally, success in security awareness programs was measured by superficial metrics. It examined how many people completed the training and what their quiz scores were. KnowBe4’s human risk management approach focuses on outcomes that matter, explains Kraemer. Most of the time, this is around behavior change and risk reduction. Behavioral metrics include click rates on phishing simulations, time to report suspicious activity, and adherence to security protocols. “The goal isn’t to check a box; it’s to see measurable improvements in security behavior over time,” says Kraemer.
This data-driven insight supports long-term program optimization. By continuously analyzing results, organizations can refine training content, adjust risk scoring, and identify departments or roles that may need additional support.
An AI-driven approach
Relying on over 15 years of data, including billions of phishing simulation outcomes, KnowBe4 is positioned to build individualized learning journeys. This experience is used to release a series of AI agents that enhance the training platform. “We have this huge amount of historical data, and that allows us, together with an understanding of what your organization looks like, to personalize the experience,” Kraemer says.
The platform integrates with Active Directory to map employee roles and responsibilities, enabling dynamic content delivery in 37 languages across more than 1,500 training modules. The AI also determines the optimal timing for delivery to maximize retention and engagement.
Another addition to the KnowBe4 platform is KnowBe4 Defend, which was added to the platform through the acquisition of Egress. The system is built on natural language processing to analyze behavioral patterns and communication relationships, detecting sophisticated social engineering attempts. Kraemer motivates the acquisition by first explaining that traditional email filters rely on static rules or known signatures. In contrast, KnowBe4 Defend assesses how users typically communicate and flags anomalies that could indicate a business email compromise or supplier fraud attempt. This enables the detection of more severe types of attacks, such as business email compromise (BEC) or supply chain attacks.
The capability is particularly valuable against polymorphic threats, where attackers use generative AI to create constantly evolving phishing messages. Because the system learns from behavioral baselines, it’s better equipped to catch these dynamic attacks.
Framework for human risk management
KnowBe4’s platform now positions itself as more than just training; it’s a full human risk management system. It maintains risk scores for individual users and entire organizations across seven domains and over 100 indicators. These scores provide a quantitative view of human risk exposure and guide remediation efforts.
Organizations can also use built-in governance and maturity assessment tools to evaluate their current posture and plan future improvements. “Without actually creating an environment that is conducive to secure behavior, you will not succeed,” says Kraemer. It’s a reminder that culture, not tools alone, shapes the effectiveness of any security initiative. The platform’s holistic approach encompasses education, simulation, compliance, and real-time support, all designed to drive sustained behavioral change.
The urgency behind this evolution is clear, Kraemer notes. According to the latest Verizon Data Breach Investigations Report, human error is a contributing factor in roughly 68% of successful data breaches. Social engineering remains the leading tactic in these incidents, with employees often being the primary target. A human risk management platform can help protect against this prominent threat.
Also read: Fraud with deepfakes: how can an organization protect itself?