The Name Matters. The Outcome Matters More

In short: Gartner has moved the market language from “Human Risk Management” (HRM) toward “Secure Behavior Management” (SBM). The rename is the right direction, because employees are not risks and behavior is a better goal than risk reduction. But a new name does not fix a broken metric. Whether you call it HRM, SBM, or a Security Behavior and Culture Program (SBCP), the real failure is that most programs still measure participation (training completion, email click rate) instead of behavior outcomes (reported phishing, report speed, prevented incidents, cost avoided). The human element appeared in 62% of breaches in the 2026 Verizon DBIR, yet training completion is still one of the most commonly reported program metrics. Completion is not a security outcome.

Key Takeaways

• Gartner is right to move the market language from “Human Risk Management” toward “Secure Behavior Management.” Words shape culture, and you cannot win behavior change by calling your people a risk.
• But renaming the category is only the first step. A better label does not fix a broken metric.
• The real gap is measurement. Most programs still grade participation, completion rates and email click rates, instead of behavioral and business outcomes.
• The human element appeared in 62% of breaches in the 2026 Verizon DBIR, yet training completion is still one of the most commonly reported program metrics.
• The next frontier is multi-channel and hybrid: attackers already work across voice, SMS, QR and callback, and the workforce now includes AI agents. Our measurement has to follow them there.

A Naming Debate Worth Having

The best security leaders I speak with have already stopped celebrating completion rates. The conversation has changed. Instead of “almost everyone finished the training,” they ask whether people report a real phish faster than they did last quarter, whether risky actions are trending down, and what that is worth to the business. They are moving away from completion theater toward outcome-driven metrics they can defend in front of a board, and align to business value. Most of the market has not made that move yet, the data still says completion is the headline metric, but the leaders setting the pace already have.

Boards do not ask about training completion rates. They ask whether the organization is safer this year than last, and what the program returns for the money. That gap, between the activity we report and the protection the business actually buys, is what this piece is about.

The industry can keep renaming the category, but the CISO still has to answer one question: are people behaving more securely, or are we just reporting better-looking activity?

Richard Addiscott’s recent Gartner note made a clear call: drop “Human Risk Management” as a market name, and ask the market for “Secure Behavior Management” instead. It sparked one of the most thoughtful threads our industry has had in a while.

I agree with the core of it. Words matter. You will struggle to win the hearts and minds of employees if you start by labeling them a risk to be managed. “Humans are the weakest link” did real damage to this field, and dressing it up as “human risk” does not undo that. Secure behavior is a better goal than risk reduction, because risk is a ceiling you push down, and behavior is something people can actually move.

So this is not a piece arguing against the rename. It is a piece arguing that the rename is the easy part.

What Is The Difference Between HRM And SBM?

For the CISOs asking the practical question: Human Risk Management (HRM) and Secure Behavior Management (SBM) describe the same market. Both cover SaaS platforms that raise security awareness, simulate threats, and drive employees toward more secure habits. The difference is framing. HRM frames the employee as a risk to be measured and reduced. SBM frames the goal as the secure behavior you want people to adopt. Gartner’s related framework language is the Security Behavior and Culture Program (SBCP). At Keepnet we use both HRM and Secure Behavior language, because the label was never the point. The point is whether behavior changes and exposure goes down.

What We Have Been Saying For Years

I will be honest about why this resonates with us. For years, the language at the center of Keepnet has been secure human behavior, security behavior and culture, and behavioral science applied at the moment of risk. That is also the language at the center of Gartner’s PIPE Framework and its Security Behavior and Culture Program model.

So in one sense, the industry is finally catching up with what behavioral science practitioners have been saying for a long time. That is a good thing. It means the category is maturing. But maturity is not a new acronym. Maturity is what you choose to measure.

How This Category Keeps Renaming Itself

Here is something worth noticing before we argue about the latest name. This market has changed its label roughly every time the buyer’s question changed. The name tracks the maturity of the question, not just marketing fashion.

Put the whole arc in one breath. In the early 2000s the question was “do we have an awareness and training program?” That gave us compliance-led security awareness. In the 2010s it became “can we deliver and track training at scale?” That gave us computer-based training. Phishing simulation changed it again to “can we test whether people click?” But click rate turned into another narrow proxy. By 2024 Forrester formalized the next question, “can we detect, quantify and reduce human risk?”, and named it Human Risk Management. Gartner’s 2026 move to Secure Behavior Management asks the better one: “can we help people, and now AI agents, behave securely, and prove the outcome?”

Notice the pattern. Every rename answered a sharper question, and every time the measurement quietly lagged the label. That is the part worth fixing.

The category evolved faster than the metrics.

The Measurement Gap Most Programs Skip

Read the strongest analyst writing on this space, including this latest note, and you will see awareness, culture, behavior and scoring discussed in depth. What you will rarely see named is the thing that actually tells a CISO whether any of it worked:

• reported phishing emails
• dwell time before reporting
• prevented incidents
• cost avoided
• measurable behavior change over time

This is the gap. Whether you call your program HRM, SBM, or SBCP, it does not matter if you are still reporting that 94% of employees completed their annual training. Completion rates look fine right up until an employee approves a fake invoice, shares a verification code over WhatsApp, or acts on a deepfake voice callback.

Completion rate is a comforting metric. It is not a security outcome.

The data backs this up. The human element appeared in 62% of breaches in the 2026 Verizon Data Breach Investigations Report. Yet 84% of security leaders still report training completion as one of their top program metrics, according to Gartner’s 2025 Secure Behavior Strategies Survey (Gartner, G00840741, n=65). Those two numbers do not belong in the same program. One describes how attackers actually get in. The other describes how busy we look.

It gets sharper. In the same Gartner research, 41% of employees admit they have bypassed security guidance, and 61% of them knew it raised risk when they did it. That is not an awareness problem. People are aware. It is a behavior and decision problem, and you cannot see it in a completion dashboard.

What Security Awareness Metrics Should CISOs Measure?

Here is the shift, in plain terms: stop grading participation, start grading outcomes.

The left column tells you the program ran. The right column tells you the organization is safer. The naming debate lives entirely in the world of the left column. The value lives in the right.

Let me put it plainly. If a security awareness program cannot show fewer incidents, faster reporting, or measurable risk reduction, it is not a security program. It is an education program. Both have value. Only one belongs in a risk conversation with your board.

Human Risk Is Now A Multi-Channel Problem

There is a second reason participation metrics fail, and it is one few are talking about. Almost all of them are measured on a single channel: email.

Attackers stopped being email-only a long time ago. They call. They text. They drop a QR code on a parking meter. They use an AI-generated voice on a callback. The 2026 Verizon DBIR puts the median click rate on email simulations at about 1.4% and on phone-centric ones at about 2%, which makes phone failure roughly 40% higher (Verizon, 2026 DBIR, p. 50), and most awareness programs are still grading on email alone. We are measuring the channel that is easiest to measure, not the channels attackers actually use.

AI widens this gap fast. AI-automated phishing drove a 54% click-through rate against 12% for standard phishing, about 4.5 times higher (Microsoft Digital Defense Report 2025, Microsoft Incident Response / Defender telemetry dataset, not a global breach census). That is one vendor’s telemetry, not a population-wide rate, but the direction is hard to miss. Whatever we name the category, a program that scores email click rate once a quarter is not seeing the attack surface.

Where This Goes Next: Human And AI Agent Behavior

The most forward-looking part of the Gartner note is the part about AI agents. The workforce is no longer only human. Organizations are starting to run AI agents alongside employees, and the 2026 Verizon DBIR already found non-corporate generative AI tool use on 67% of corporate devices (Verizon, 2026 DBIR, p. 12). Those agents take actions, hold access, and can be manipulated.

This is exactly where a behavior-first frame beats a risk-first one. You can extend “secure behavior” to cover both human employees and AI agents acting on their behalf, measured in one place. It is much harder to do that under a label that only ever meant people. So I think Richard is right about the direction. I would just push it one step further: the unit of measurement should be the behavior and its outcome, whether the actor is a person or an agent.

What Should A CISO Do On Monday?

Three practical moves, none of which require waiting for the industry to agree on a name:

1. Retire completion rate as a headline metric. Keep it for compliance, but lead with reported phishing rate, report speed, and risky-action rate.
2. Measure beyond email. If your program cannot tell you how people behave on voice, SMS, QR and callback, you are reporting a fraction of your real exposure.
3. Tie behavior to business outcomes. Prevented incidents and cost avoided are the numbers your board understands, and they are the numbers that justify the program.

What The Winning Platforms Will Do

The platforms that succeed in this model will look different from the ones built to report completion. They will run simulations across every channel attackers use, email, voice, SMS, QR and callback, not email alone. They will intervene in real time, at the moment of risk, instead of once a year. And they will report in the language of outcomes: fewer risky actions, faster reporting, exposure that is provably lower.

This is the model we have been building toward at Keepnet: multi-channel simulation across email, voice, SMS, QR and callback, coaching at the moment of risk, and behavior-level reporting in one place. It is also the bar I would hold any vendor in this space to, including us.

The Bottom Line

Richard is right that words matter, and “Secure Behavior Management” is a healthier name than “Human Risk Management.” But a name is where this conversation starts, not where it ends. Employees are not risks. Their decisions are signals. If we keep measuring participation instead of outcomes, we will simply have a better-named program that still cannot tell us whether anyone is safer.

The name matters. The outcome matters more. Let’s keep the conversation going.

About the author: Ozan Ucar is the Founder and CEO of Keepnet, a platform for human risk management and secure behavior across email, voice, SMS, QR and callback channels.

Sources

• Verizon, 2026 Data Breach Investigations Report (p. 12, p. 50).
• Gartner, “6 Ways to Transform Your Cybersecurity Awareness Program” (G00840741, March 2026); 2025 Secure Behavior Strategies Survey (n=65).
• Gartner (G00840742, February 2026), employee survey (n=175).
• Microsoft Digital Defense Report 2025 (Microsoft Incident Response / Defender dataset, not a global breach census).
• Gartner Analyst Take, “Why It’s Time to Drop Human Risk Management as a Market Name” (G00853891, April 2026).
• Category evolution:
• NIST SP 800-50, “Building an Information Technology Security Awareness and Training Program” (October 2003).
• Gartner Magic Quadrant for Security Awareness Computer-Based Training (2019 edition, July 2019).
• Gartner Market Guide for Security Awareness Computer-Based Training (July 2020).
• Proofpoint, “Proofpoint to Acquire Wombat Security Technologies” (February 2018).
• Gartner Innovation Insight for Security Behavior and Culture Program Capabilities (November 2022, G00776704).
• Forrester, “The Future Is Now: Introducing Human Risk Management,” Jinan Budge (February 2024).