Strategy beats stunts.Human risk programmes that hold up.
Advisory for human cyber risk: programme design, governance, metrics, and the board-ready story behind them.
Advisory pillars
From scattered awareness to a real human risk programme
We translate human cyber risk into something you can plan, measure, and report. Roadmaps, governance, metrics, and stakeholder narratives, grounded in how attackers actually behave today.
Programme & roadmap
A multi-quarter human risk roadmap aligned to your threat model and business priorities. We sequence what to do, when, and why.
Governance & policy
Phishing, BEC, vishing, and trust-based attack policies. Roles, escalation paths, and response playbooks your teams will actually use.
Metrics & reporting
A measurable view of human risk: leading and lagging indicators, exposure, click and report rates, and board-ready summaries.
Stakeholder narratives
Plain-language briefings that connect human-layer risk to outcomes leaders care about: revenue, reputation, and regulator readiness.
A programme, not a campaign
Most awareness programmes fail because nothing changes after the click.
Tooling and content alone don't move human risk. Advisory work focuses on what actually changes attacker outcomes: control design, verification steps, ownership, and a programme that survives leadership turnover.
We pair this with hands-on assessment expertise so the strategy you adopt is grounded in evidence, not slideware.
What you get
- 12-month human risk roadmap with quarterly milestones
- Governance, policy, and incident-response artefacts
- Metrics framework and board-ready reporting templates
- Programme cadence: assess, remediate, retest, report
- Workshops with security, IT, HR, and risk teams
- Senior-led engagement; no wholesale handoff to juniors
How engagements run
Three ways we plug in
Most programmes start with a focused review and mature into a longer arrangement. Pick the entry point that fits your team today.
Human risk diagnostic
Rapid review of your current human risk posture: controls, training, metrics, and reporting. We hand back a prioritised action plan and a baseline you can defend to leadership.
Programme design
We design a 12-month human risk programme: threat model, roadmap, policy, metrics, governance, and the assessment cadence that proves it works.
Advisory retainer
Senior advisory time as your programme runs. Quarterly reviews, board updates, scenario rehearsals, and an honest second opinion when you need one.
Ready to give human risk a strategy?
Book a working session with a senior consultant. We'll listen first, then walk through what a 12-month advisory engagement could look like for your team.