Traditional security awareness training programs have perennially suffered from proof problem. When are your employees capable enough when it comes to recognizing phishing campaigns? When are they no longer an easy target among many? Educators on the subject are now tasked with delivering measurable results and lead to workable workforce policies. KnowBe4 summarizes the effort to do exactly that under the banner of Human Risk Management (HRM), with the main goal of generating workforce trust. What exactly does that mean?
We discussed this shift from security awareness to HRM earlier this year. Awareness of cyber risks is not something that one instantly knows how to measure. Human risk, at least with respect to how KnowBe4 envisions it, should now appear on the radar with a defined score. There is an inbuilt vagueness to this shift, however, as much of the company’s offering and expertise remains in place. However, the emphasis is now on a more positive narrative around educating employees on cyber risks than simply limiting the failure rate among your workforce. Said limitations should lead to greater freedom amongst employees as they will meaningfully, measurably become safer digital denizens.
Less mechanical
Employees are now more attractive targets than vulnerabilities in software are. The problem, however, is that you cannot patch people. You cannot make them more secure by purely mechanical means. Block any inbound emails and you’re essentially locking yourself out of business opportunities. Be too liberal in your access and you end up having to rely on human assessments in treating potential cyber risks.
According to KnowBe4, one cannot even cross of a checklist listing all parameters that constitute overall risk. In other words, the company’s Risk Score (now in v2) is based on a formula that even your KnowBe4 contact won’t be able to fully divulge the inner workings of. The rating you end up getting is highly dependent on the role of the employee in question. Moreoever, it is constantly adapting. The score is therefore only somewhat comparable to a common yardstick for measuring risks: the CVSS score that accompanies a software vulnerabilities. Truthfully, however, the latter can also be interpreted in several ways and is anything but an objective measurement of actual threat levels. Even so, you need some kind of guidance – people have now received one, too.
The Risk Score is based on behavioral science and dynamically determines which security training an employee needs and when would be appropriate to provide it. KnowBe4 CEO Bryan Palma hopes that the score will be adopted as a kind of currency within the business world. He compares it to the universal FICO credit score that is wholly adopted in the United States. Regardless of which bank or other financial institution you talk to, a good FICO score is interpreted as a sign of being a reliable borrower. Miss your payments, and you’ll feel it in your credit rating. Similarly, a phishing mail compromise will hurt your Risk Score. The difference is that within the KnowBe4 platform, getting a low score is actually a good thing.
Palma indicates that at the average company, about 40 percent of the staff initially fails a phishing training course. After a year of KnowBe4 assistance, this drops to just 5-6 percent. The intention from that point on is to move from a position of concern and mistrust to one of trust and confidence toward your workforce.
Agentic interference
In an earlier conversation with Martin Kraemer, Security Awareness Advocate at KnowBe4, we understood that agentic AI is bringing about major changes within the KnowBe4 platform. CEO Palma’s language is even more ambitious. By Q2 2026, the solution is envisioned to be a “fully agentic platform.” This means that practically all possibilities within KnowBe4 can be executed by agents. In addition to AI Defense Agents (AIDA) that refine training per employee, an orchestration agent will also be introduced. The rollout of these agents will be gradual, not only because building them is a technical challenge for KnowBe4, but also because adoption among companies takes time. We are still in an experimental phase of agentic AI, Palma admits. Not every company is up to speed even with the concept of AI in production.
According to Gartner, agents themselves will be kept in line by so-called Guardian Agents. The latter group is expected to comprise around 10-15 percent of the total agent population. These enforcers should enable organizations to prevent their AI tooling from performing unwanted actions.
Javvad Malik, Lead CISO Advisor at KnowBe4, acknowledges that this is not just a task for agents themselves. European organizations are accustomed to privacy-sensitive data being used only to a limited extent. KnowBe4 agents can check employee emails for phishing links and data leaks, but this must be in accordance with your company policy. Malik does point out that personal data can be processed in local data centers, making it possible for many parties to enable agentic-driven protection.
Workforce trust will need adoption
As a true specialist, KnowBe4 is relatively early to embrace Human Risk Management. The company has devised a comprehensive strategy that responds to the rise of agentic AI. Useful additions paint the picture of a company that knows what its core competencies are, even if HRM sounds more all-conquering than security awareness. Perhaps the threat of generalists such as Microsoft providing similar tooling to what KnowBe4 offers (free of charge for anyone already on a 365 E5 tier) has propelled a change of tune forward. At any rate, Palma strongly emphasizes the need to focus on this one area, something Microsoft, with all its efforts spread across a tremendously large portfolio, won’t be able to accomplish.
We must note that the move towards trying to trust employees rather than fear the risks they pose isn’t easily accomplished. It ought to be time for the outside world to take that leap of faith, or at least make preparations to do so. Reports regularly highlight the security mistakes made by employees. Kaseya, for example, describes humans as ‘the weakest link’. It is far from the only one to do so. Meanwhile, pen tests are expensive, real phishing emails keep flooding in, and AI adoption is muddying the waters on the security front. The crucial thing, however, is that downtime is the biggest digital culprit of company losses. Practically all security players agree on this. But with that in mind, interpreting security awareness as a check-off task is dangerous. Such courses seem ineffective based on the ongoing compromises worldwide, yet we were rarely presented with a way of measuring their results. Quantifying success has historically proven difficult.
This explains why scores, in this case KnowBe4’s own Risk Score, define the step beyond security awareness. Measurable results are needed to demonstrate that KnowBe4’s offering can be the business enabler it has the potential to be. In addition, low risk scores can inspire confidence, especially when it becomes clear that the data legitimizes those scores. We will be keeping an eye on this in the coming years.