Human Risk Management Has a Diagnosis Problem
Not every shift in a risk metric is a behaviour problem. Before you blame the driver, check the road. Separating environmental change from behavioural change is where meaningful human risk analysis begins.
Two fundamentally different things can move a risk metric. A person’s behaviour can change. Or the environment around them can change. These are not the same problem, and responding to one as though it were the other produces poor decisions.
Consider a car rolling downhill. The speedometer climbs, but the driver’s foot is not on the accelerator. Speed is increasing, but that is not a driving problem. It is a gradient problem. The right response is still to act: tell the driver to ease off, apply the brakes, adjust for the hill. But that is a very different conversation from accusing them of reckless driving. One is guidance. The other is accusation. Responding to the speed as though it were misconduct would be the wrong response to the wrong problem — and it would damage trust without addressing the actual cause.
The same logic applies to people. An employee flagging across multiple indicators this month may have started accessing unfamiliar systems, shifted communication patterns, or changed how they interact with data. Before drawing conclusions, it is worth establishing whether their role changed, whether they moved teams, or whether new responsibilities altered what they legitimately need to access. The response may still be needed — additional training, access review, a conversation about new systems — but it should be calibrated to what actually changed. Check the road before you blame the driver.
Environmental changes such as new systems, new pressures, or restructured responsibilities will move the metrics, but that movement reflects context, not necessarily behaviour. Behavioural change is different: the environment remains stable, but something in how a person operates has shifted. That distinction is where meaningful analysis begins.
Much of the industry has not yet built this separation into how it surfaces and reports risk. Metrics move; alerts fire; investigations follow — without a framework for understanding what kind of change actually occurred. Praxis Navigator is designed to support that distinction — not just whether risk moved, but what is driving the movement.
Ready to measure your security culture?
Connect your Microsoft 365 and see months of employee security behavior data in 15 minutes. Free 30-day trial.
Start Free Trial