ResilienceIQ · Human Risk Tool
Quantify Your Human Risk Exposure
Quantify your organization's human risk exposure in 10 minutes. Score your security awareness program across 8 dimensions. Get a prioritized action plan to reduce human-caused risk.
ResilienceIQ Human Risk Scorecard
8 Dimensions
Phishing Simulations
4
Role-Based Training
4
Executive Awareness
4
Social Engineering
4
Behavioral Metrics
1
Security Culture
2
Incident Reporting
1
AI Threat Readiness
1
Total Score
At Risk Tier
21 / 40
ResilienceIQ · Human Risk Tool
Quantify Your Human Risk Exposure
Quantify your organization's human risk exposure in 10 minutes. Score your security awareness program across 8 dimensions. Get a prioritized action plan to reduce human-caused risk.
ResilienceIQ Human Risk Scorecard
8 Dimensions
Phishing Simulations
4
Role-Based Training
4
Executive Awareness
4
Social Engineering
4
Behavioral Metrics
1
Security Culture
2
Incident Reporting
1
AI Threat Readiness
1
Total Score
At Risk Tier
21 / 40
ResilienceIQ · Human Risk Tool
Quantify Your Human Risk Exposure
Quantify your organization's human risk exposure in 10 minutes. Score your security awareness program across 8 dimensions. Get a prioritized action plan to reduce human-caused risk.
ResilienceIQ Human Risk Scorecard
8 Dimensions
Phishing Simulations
4
Role-Based Training
4
Executive Awareness
4
Social Engineering
4
Behavioral Metrics
1
Security Culture
2
Incident Reporting
1
AI Threat Readiness
1
Total Score
At Risk Tier
21 / 40
Microsoft Gold Partner
HIPAA Compliant Deployments
SOX / FFIEC
Aligned
SOC 2
Practices
100+ Clients Managed
Microsoft Gold Partner
HIPAA Compliant Deployments
SOX / FFIEC Aligned
SOC 2 Practices
100+ Clients Managed
Microsoft Gold Partner
HIPAA Compliant Deployments
SOX / FFIEC Aligned
SOC 2 Practices
100+ Clients Managed
Why Human Risk Matters
95% of cybersecurity breaches involve a human element. Phishing, credential reuse, social engineering, misconfigurations, and insider threats all trace back to people. Yet most organizations measure security awareness with a single metric: annual training completion.
This scorecard changes that. In 10 minutes, you will assess your organization across 8 critical dimensions of human risk, generate a quantified score, and identify exactly where your security awareness program has gaps.
How to Use This Scorecard
01
Score each dimension
Use the maturity indicators provided. If you are between levels, round down.
02
Calculate your total
Add all 10 scores (range: 10 to 50). Record your total at the end of the assessment.
03
Check your tier
The interpretation guide maps your score to a maturity tier with specific implications.
04
Prioritize action
Focus on your lowest-scoring dimensions first. The 90-day roadmap provides a structured improvement path.
Why Human Risk Matters
95% of cybersecurity breaches involve a human element. Phishing, credential reuse, social engineering, misconfigurations, and insider threats all trace back to people. Yet most organizations measure security awareness with a single metric: annual training completion.
This scorecard changes that. In 10 minutes, you will assess your organization across 8 critical dimensions of human risk, generate a quantified score, and identify exactly where your security awareness program has gaps.
How to Use This Scorecard
01
Score each dimension
Use the maturity indicators provided. If you are between levels, round down.
02
Calculate your total
Add all 10 scores (range: 10 to 50). Record your total at the end of the assessment.
03
Check your tier
The interpretation guide maps your score to a maturity tier with specific implications.
04
Prioritize action
Focus on your lowest-scoring dimensions first. The 90-day roadmap provides a structured improvement path.
Why Human Risk Matters
95% of cybersecurity breaches involve a human element. Phishing, credential reuse, social engineering, misconfigurations, and insider threats all trace back to people. Yet most organizations measure security awareness with a single metric: annual training completion.
This scorecard changes that. In 10 minutes, you will assess your organization across 8 critical dimensions of human risk, generate a quantified score, and identify exactly where your security awareness program has gaps.
01
Score each dimension
Use the maturity indicators provided. If you are between levels, round down.
02
Calculate your total
Add all 10 scores (range: 10 to 50). Record your total at the end of the assessment.
03
Check your tier
The interpretation guide maps your score to a maturity tier with specific implications.
04
Prioritize action
Focus on your lowest-scoring dimensions first. The 90-day roadmap provides a structured improvement path.
How to Use This Scorecard
Scoring Scale
Five Maturity Levels, Clearly Defined
1
Non-Existent
No program or capability in place
2
Ad Hoc
Some effort exists but it is inconsistent and unstructured
3
Developing
A program exists but lacks maturity, measurement, or coverage
4
Established
Structured program with regular execution and basic measurement
5
Optimized
Mature, measured, continuously improving, and role-specific
Scoring Scale
Five Maturity Levels, Clearly Defined
1
Non-Existent
No program or capability in place
2
Ad Hoc
Some effort exists but it is inconsistent and unstructured
3
Developing
A program exists but lacks maturity, measurement, or coverage
4
Established
Structured program with regular execution and basic measurement
5
Optimized
Mature, measured, continuously improving, and role-specific
Scoring Scale
Five Maturity Levels, Clearly Defined
1
Non-Existent
No program or capability in place
2
Ad Hoc
Some effort exists but it is inconsistent and unstructured
3
Developing
A program exists but lacks maturity, measurement, or coverage
4
Established
Structured program with regular execution and basic measurement
5
Optimized
Mature, measured, continuously improving, and role-specific
5
Optimized
Continuous improvement via metrics and automation.
Compliance Readiness Assessment
Compliance Readiness Assessment
Compliance Readiness Assessment
Ten dimensions across three governance pillars. Score your current state honestly — that's the only way this assessment surfaces real risk.
Ten dimensions across three governance pillars. Score your current state honestly — that's the only way this assessment surfaces real risk.
RESULT
Scoring and Interpretation
Add your scores from all 8 dimensions. Your total will be between 8 and 40. Use the tier guide below to understand your organization's human risk exposure.
8-15
Critical
Significant human risk exposure
Your organization has significant human risk exposure. Employees are highly vulnerable to phishing, social engineering, and AI-powered attacks. Immediate action is required to prevent a breach.
16-23
At Risk
Checks boxes without changing behavior
Some security awareness efforts exist but they lack structure, role specificity, and measurable outcomes. Your program checks compliance boxes without changing behavior.
24-31
Developing
Covers the basics, lacks depth
A reasonable foundation is in place. Your program covers the basics but lacks the depth, measurement, and cultural integration needed to meaningfully reduce human risk.
32-40
Strong
Mature, role-specific, measurably effective
Your human risk management program is mature, role-specific, and measurably effective. Focus on continuous improvement, AI threat readiness, and champion program expansion.
RESULT
Scoring and Interpretation
Add your scores from all 8 dimensions. Your total will be between 8 and 40. Use the tier guide below to understand your organization's human risk exposure.
8-15
Critical
Significant human risk exposure
Your organization has significant human risk exposure. Employees are highly vulnerable to phishing, social engineering, and AI-powered attacks. Immediate action is required to prevent a breach.
16-23
At Risk
Checks boxes without changing behavior
Some security awareness efforts exist but they lack structure, role specificity, and measurable outcomes. Your program checks compliance boxes without changing behavior.
24-31
Developing
Covers the basics, lacks depth
A reasonable foundation is in place. Your program covers the basics but lacks the depth, measurement, and cultural integration needed to meaningfully reduce human risk.
32-40
Governance Mature
Mature, role-specific, measurably effective
Your human risk management program is mature, role-specific, and measurably effective. Focus on continuous improvement, AI threat readiness, and champion program expansion.
RESULT
Scoring and Interpretation
Add your scores from all 8 dimensions. Your total will be between 8 and 40. Use the tier guide below to understand your organization's human risk exposure.
8-15
Critical
Significant human risk exposure
Your organization has significant human risk exposure. Employees are highly vulnerable to phishing, social engineering, and AI-powered attacks. Immediate action is required to prevent a breach.
16-23
At Risk
Checks boxes without changing behavior
Some security awareness efforts exist but they lack structure, role specificity, and measurable outcomes. Your program checks compliance boxes without changing behavior.
24-31
Developing
Covers the basics, lacks depth
A reasonable foundation is in place. Your program covers the basics but lacks the depth, measurement, and cultural integration needed to meaningfully reduce human risk.
32-40
Strong
Mature, role-specific, measurably effective
Your human risk management program is mature, role-specific, and measurably effective. Focus on continuous improvement, AI threat readiness, and champion program expansion.
90-Day Action Plan
Based on your lowest-scoring dimensions, prioritize the following actions over the next 90 days. The sequence matters — establish baselines before deploying improvements, measure before sustaining.
Phase 1
Days 1–30
Establish Baselines
Conduct a baseline phishing simulation across the entire organization to establish current click rates
Document current training completion rates by department and role group
Identify and catalog all current reporting mechanisms for suspicious activity
Map your highest-risk role groups based on data access, financial authority, and external exposure
Phase 2
Days 31-60
Deploy Targeted Improvements
Launch role-specific training for your two highest-risk groups (typically executives and finance)
Deploy a second phishing simulation with increased realism and role-specific scenarios
Identify and recruit your first cohort of Security Champions from each department
Implement or improve the suspicious activity reporting workflow with feedback loops
Phase 3
Days 61–90
Measure and Sustain
Compare Day 60 simulation results against your Day 1 baseline to measure improvement
Build your behavioral metrics dashboard tracking click rates, report rates, and time-to-report
Present first quarterly security culture report to leadership with data and trend analysis
Document a 12-month training and simulation cadence plan to sustain momentum
90-Day Action Plan
Based on your lowest-scoring dimensions, prioritize the following actions over the next 90 days. The sequence matters — establish baselines before deploying improvements, measure before sustaining.
Phase 1
Days 1–30
Establish Baselines
Conduct a baseline phishing simulation across the entire organization to establish current click rates
Document current training completion rates by department and role group
Identify and catalog all current reporting mechanisms for suspicious activity
Map your highest-risk role groups based on data access, financial authority, and external exposure
Phase 2
Days 31-60
Deploy Targeted Improvements
Launch role-specific training for your two highest-risk groups (typically executives and finance)
Deploy a second phishing simulation with increased realism and role-specific scenarios
Identify and recruit your first cohort of Security Champions from each department
Implement or improve the suspicious activity reporting workflow with feedback loops
Phase 3
Days 61–90
Measure and Sustain
Compare Day 60 simulation results against your Day 1 baseline to measure improvement
Build your behavioral metrics dashboard tracking click rates, report rates, and time-to-report
Present first quarterly security culture report to leadership with data and trend analysis
Document a 12-month training and simulation cadence plan to sustain momentum
90-Day Action Plan
Based on your lowest-scoring dimensions, prioritize the following actions over the next 90 days. The sequence matters — establish baselines before deploying improvements, measure before sustaining.
Phase 1
Days 1–30
Establish Baselines
Conduct a baseline phishing simulation across the entire organization to establish current click rates
Document current training completion rates by department and role group
Identify and catalog all current reporting mechanisms for suspicious activity
Map your highest-risk role groups based on data access, financial authority, and external exposure
Phase 2
Days 31-60
Deploy Targeted Improvements
Launch role-specific training for your two highest-risk groups (typically executives and finance)
Deploy a second phishing simulation with increased realism and role-specific scenarios
Identify and recruit your first cohort of Security Champions from each department
Implement or improve the suspicious activity reporting workflow with feedback loops
Phase 3
Days 61–90
Measure and Sustain
Compare Day 60 simulation results against your Day 1 baseline to measure improvement
Build your behavioral metrics dashboard tracking click rates, report rates, and time-to-report
Present first quarterly security culture report to leadership with data and trend analysis
Document a 12-month training and simulation cadence plan to sustain momentum
Ready to Reduce Human Risk?
If your score is below 24, your workforce is your biggest vulnerability. Let us show you what a structured, measurable security awareness program looks like.
Ready to Reduce Human Risk?
If your score is below 24, your workforce is your biggest vulnerability. Let us show you what a structured, measurable security awareness program looks like.
Ready to Reduce Human Risk?
If your score is below 24, your workforce is your biggest vulnerability. Let us show you what a structured, measurable security awareness program looks like.
© 2026 X-Centric IT Solutions. All Rights Reserved
© 2026 X-Centric IT Solutions. All Rights Reserved
© 2026 X-Centric IT Solutions. All Rights Reserved
