Most security frameworks answer the question of what to protect. Human Risk Intelligence (HRI) answers the harder questions: who attackers are hunting, who will let them in, who is already exposed, and what damage they could do once inside. This is how those answers map directly onto CIS Controls v8.

‍

CIS Controls v8, the Center for Internet Security's foundational framework for prioritized security action, organizes 18 safeguard controls around activities and outcomes. It is one of the most widely adopted security frameworks globally, referenced by regulators, auditors, and insurance underwriters as a benchmark for security maturity. What it does not do, by design, is tell you which specific people in your organization represent the highest concentration of human risk at any given moment.

‍

That is precisely what HRI is built to do. HRI is the discipline of continuously profiling, measuring, and acting on the human risk present in an organization's workforce. It operates across four analytically distinct pillars: Target Value, Awareness, Hygiene, and Access. Each pillar answers a different question about human risk, and each maps directly onto a subset of the 18 CIS Controls in ways that transform compliance activity into genuine risk reduction.

‍

This article walks through each pillar in depth, maps it to the specific CIS Controls it supports, and grounds every argument in incident data from 2024 and 2025.

Why the Human Layer Remains the Dominant Attack Vector

The Verizon Data Breach Investigations Report confirmed that 74% of all confirmed breaches involve a human element. That figure has remained stubbornly stable for a decade, a period during which organizations collectively spent hundreds of billions of dollars on technical security controls. This does not imply that technical controls are ineffective. It is that the attack surface they were designed to protect has shifted, and the dominant threat actors today are operating almost entirely through the human layer.

‍

Phishing, business email compromise, credential stuffing, vishing, and social engineering do not require the attacker to find a vulnerability in your code. They require only that one employee, anywhere in the organization, behave in a predictable human way under pressure, time constraint, or deception. And the economics of that approach are increasingly favorable to the adversary: generative AI tools available in 2024 and 2025 allow attackers to produce highly personalized, linguistically convincing lure content at near-zero marginal cost.

How CIS Controls v8 Sets the Stage

CIS Controls v8, released in 2021, restructured the framework from 20 controls to 18 and introduced Implementation Groups (IG1, IG2, IG3) to help organizations prioritize based on their resources and risk profile. The framework is explicitly designed to be activity-based rather than technology-based, and many of its 18 controls have human dimensions that are central rather than incidental to their effectiveness.

Introducing the Four Pillars of HRI

The four HRI pillars provide the behavioral intelligence that makes CIS Controls operationally effective. What follows is a deep dive into each pillar, its specific risk dimensions, and the CIS Controls it most directly empowers.

‍

HRI does not attempt to replicate what technical controls do. It provides the intelligence layer that answers the questions technical controls cannot: which people are high-value targets for adversaries, which people are likely to fail when a sophisticated attack lands, which people are technically easy to compromise, and which people's accounts would give an attacker the most destructive capability if taken over.

‍

HRI Pillar One: Target Value (Understanding Who Attackers Are Hunting)

The first question that professional threat actors answer before launching any human-layer attack is: who is worth targeting? This is not a random process. Advanced persistent threat groups, ransomware affiliates, and business email compromise operators all conduct reconnaissance before they act. They are looking for individuals whose compromise would yield maximum value, whether financial, strategic, or operational.

‍

Target Value is the HRI pillar that mirrors that adversarial thinking from the defender's perspective. It asks: Given what an attacker can learn about my workforce from public sources, internal data, and behavioral signals, which employees represent the highest-value targets?

‍

The dimensions that constitute Target Value are precisely those that attackers prioritize.

• Seniority matters because senior employees have authority to approve transactions and override controls.
• Escalation influence and command influence matter because a compromised account that can instruct others multiplies the blast radius of a single successful attack.
• Data access matters because they determine what an attacker can reach once inside an account.
• Social presence and contactability matter because they determine how easily an employee can be researched and reached.
• Risk awareness matters because they influence the likelihood that an employee will be susceptible to social engineering or insider threat scenarios.

Target Value and CIS Controls: The Mapping

CIS Control 1 (Inventory and Control of Enterprise Assets) connects to Target Value through the lens of access. An accurate asset inventory tells you which employees have access to which systems, which is foundational to understanding who represents a high-value target from a system access perspective.

‍

CIS Control 3 (Data Protection) is directly informed by the data access dimension of Target Value. Knowing which employees have access to sensitive data is a prerequisite for both classifying risk and applying the data protection controls CIS 3 requires.

‍

CIS Control 5 (Account Management) and CIS Control 6 (Access Control Management) are strengthened by Target Value analysis through the identification of which privileged accounts belong to the highest-value targets, the employees whose compromise would be most damaging and therefore most worth hardening.

‍

CIS Control 14 (Security Awareness and Skills Training) benefits from Target Value profiling because it allows training programs to be differentiated by risk level. A CFO with high seniority, significant data access, and a strong social media presence requires a different and more intensive awareness program than a junior employee with limited system access and no public profile.

‍

CIS Control 15 (Service Provider Management) has a Target Value dimension that is frequently overlooked. Third-party vendors whose staff have elevated access to the organization's environment represent high-value targets that sit outside the organization's direct control. Extending Target Value analysis to the third-party supply chain is one of the more advanced applications of this pillar.

Pillar Two: Awareness (Identifying Who Will Fail When the Attack Lands)

Target Value tells you who attackers are hunting. Awareness tells you who is likely to be caught. These are related but analytically distinct risks. A high-value target who has received targeted social engineering training and recently passed a sophisticated phishing simulation is a materially different risk profile than a high-value target who has never completed an awareness module and whose phishing failure rate is above the organizational average.

‍

The Awareness pillar looks at the current state of security awareness across the workforce through a set of measurable signals:

• gap analysis (what knowledge is absent),
• training coverage (who has been reached by the awareness program),
• training completion and performance (who engaged and how well they did),
• phishing coverage (who has been tested), and
• phishing performance (who failed, how often, and in response to what kinds of lures).

‍

The critical insight here is that awareness is not a binary state. An employee who completed training 18 months ago and has received no phishing simulation since is not "aware." They are a dormant risk. The Awareness pillar is designed to surface that distinction continuously, not through annual compliance tick boxes.

Awareness and CIS Controls

‍

CIS Control 14 (Security Awareness and Skills Training) is the primary home of the Awareness pillar within the CIS framework. But the CIS guidance for Control 14 is more demanding than most organizations realize. It calls for training that is role-specific, measurable, and regularly updated to reflect the current threat landscape. A generic annual compliance module satisfies the letter of the control but almost none of its intent. The Awareness pillar provides the gap analysis, coverage measurement, and performance data that makes Control 14 genuinely effective.

‍

CIS Control 9 (Email and Web Browser Protections) has a direct Awareness connection through phishing performance data. Awareness metrics, particularly phishing simulation performance, provide the data necessary to understand how effective that human defense layer actually is and where it needs to be strengthened.

‍

CIS Control 16 (Application Software Security) benefits from awareness analysis in organizations with developer teams. Developer security culture, secure coding habits, and recognition of social engineering attacks targeting the software supply chain are all awareness dimensions that gap analysis surfaces. The 2024 attack on XZ Utils, a widely deployed compression library, involved social engineering of the open source maintainer over a period of months. Awareness of that attack vector would not have been captured by conventional phishing simulation.

‍

CIS Control 17 (Incident Response Management) is strengthened by the Awareness pillar through measurement of the incident reporting culture. An organization with strong incident response procedures but a workforce that does not report suspicious activity has a gap that no technical control closes. Awareness metrics that include reporting behavior as a measured outcome, not just training completion, address this gap directly.

Pillar Three: Hygiene (Identifying Who Is Technically Easiest to Compromise)

Hygiene answers a third and equally important question: whose account can be technically compromised with the least effort?

‍

The Hygiene pillar covers the technical security posture of individual user accounts and identity assets. It is distinct from Awareness in that it does not depend on behavior in the moment of an attack. Hygiene failures are latent vulnerabilities: a weak password set months ago, an MFA configuration never enabled, a dark web credential breach that has gone undetected, a dormant account from a departed employee that was never deprovisioned, an email forwarding rule set up by an attacker who has had silent access for weeks.

‍

These are not hypothetical risks. According to the IBM Cost of a Data Breach Report 2024, stolen or compromised credentials were the most common initial attack vector, accounting for 16 percent of breaches and producing the longest average breach lifecycle, 292 days compared to the overall average of 194 days. The extra time is explained by the stealth of credential-based attacks: they look like legitimate user activity.

Hygiene and CIS Controls

CIS Control 5 (Account Management) is the CIS control most directly empowered by the Hygiene pillar. Dormant accounts, secondary email addresses used to bypass authentication, and accounts whose access policies have drifted from their original configuration are all hygiene signals that feed directly into the account management activities CIS 5 requires. Without hygiene monitoring, account management is reactive. With it, it becomes predictive.

‍

CIS Control 4 (Secure Configuration of Enterprise Assets and Software) has a human hygiene dimension through the configuration of authentication settings. MFA enrollment rates, password policy compliance, and session token management are all configuration states that have a human driver. Users who have not enrolled in MFA or who have configured weak authentication settings represent a hygiene failure that sits at the intersection of CIS 4 and the Hygiene pillar.

‍

CIS Control 6 (Access Control Management) is strengthened by Hygiene signals around access policies and dormant accounts. Privilege creep, the gradual accumulation of access rights beyond what is needed for a role, is one of the most common and most dangerous hygiene failures. CIS 6 requires periodic access reviews; Hygiene monitoring provides the continuous signal that makes those reviews genuinely risk-informed rather than procedurally routine.

‍

CIS Control 7 (Continuous Vulnerability Management) has a hygiene connection through password weakness and credential exposure. A user whose credentials have appeared in a dark web dump is, in effect, a walking unpatched vulnerability. The Hygiene pillar surfaces that exposure through dark web monitoring and ensures that the account is treated with the same urgency as a critical CVE.

‍

CIS Control 8 (Audit Log Management) is where hygiene signals like email forwarding rules and secondary email addresses become operationally significant. Attackers who have achieved persistent access to an account often set up forwarding rules to maintain visibility after their initial access vector is closed. Log management that is informed by hygiene baselines, knowing what a normal account configuration looks like, is far more effective at detecting these manipulation patterns.

‍

CIS Control 12 (Network Infrastructure Management) has a human hygiene dimension that is easy to overlook when the control is framed primarily as a technical discipline. Network infrastructure does not misconfigure itself. Rogue wireless access points appear because an employee plugged in an unauthorized device. Network segmentation boundaries erode because an IT team member made an undocumented change under operational pressure. The Hygiene pillar surfaces these behaviors through the same identity-centric lens it applies to account and credential hygiene: which individuals have a pattern of introducing network-level risk, and which of their behaviors need to be addressed before they create a persistent opening in the network perimeter? Organizations that treat network hygiene as a purely technical problem and ignore the human behaviors driving it will find that their network management controls are perpetually undermined by the same handful of habitual workarounds.

‍

CIS Control 13 (Network Monitoring and Defense) depends on the Hygiene pillar more deeply than most practitioners recognize, because effective anomaly detection requires a behavioral baseline, and that baseline is fundamentally a human construct. A network monitoring system that flags every deviation from generic expected behavior will produce noise volumes that overwhelm any security operations team. What makes network monitoring genuinely effective is the ability to detect deviations from what is normal for a specific user, on a specific device, at a specific time of day, accessing a specific set of systems. The Hygiene pillar provides exactly that individual-level behavioral context. When HRI signals flag that a particular user's credentials have been exposed on a dark web forum, or that their account configuration has recently changed in an anomalous way, network monitoring can be directed at that individual's traffic with proportionally higher sensitivity. The result is a detection capability that is both more precise and more timely than broad-sweep monitoring alone.

Pillar Four: Access (Quantifying the Blast Radius of a Compromised Account)

The fourth HRI pillar completes the picture by answering the question that matters most to incident response, ransomware negotiators, and board members alike: if this account is compromised, how much damage can the attacker do?

‍

Access is about the consequence of compromise. An attacker who takes over an account with admin roles across multiple cloud platforms, shadow admin rights that were never formally documented, membership in privileged security groups, and OAuth consents to a dozen third-party applications can do fundamentally different damage than an attacker who takes over an individual contributor's account with access to one project management tool.

‍

The dimensions of the Access pillar map this blast radius in detail. Admin roles determine whether an account can modify other accounts, reset passwords, or disable security controls. Group memberships determine what data and systems the account can reach through inherited permissions. Application consents, ownership, and usage determine whether a compromised account can pivot to connected SaaS tools, exfiltrate data through authorized API integrations, or access customer data held by third-party platforms. And shadow admin is one of the most dangerous and least visible risks in this category: accounts that have been granted administrative capabilities through non-standard pathways that do not appear in formal RBAC documentation.

Access and CIS Controls

CIS Control 5 (Account Management) is the primary home of Access pillar concerns within the CIS framework. The account management activities that Control 5 requires, including deprovisioning, privileged account inventory, and use of dedicated admin accounts, are all directly informed by Access pillar analysis. Without a complete picture of who has admin rights, shadow admin capabilities, and group membership-derived permissions, account management activity is incomplete.

‍

CIS Control 6 (Access Control Management) is the natural companion to Control 5 for the Access pillar. The principle of least privilege, which Control 6 enforces, is only operable if the current state of access is fully visible. Shadow admin rights and application OAuth consents are two of the most common ways in which privilege exceeds documented assignment, and both are the concerns under Access pillar.

‍

CIS Control 2 (Inventory and Control of Software Assets) connects to the Access pillar through application consents, ownership, and usage. Every OAuth consent granted by an employee to a third-party application represents an extension of that employee's access footprint into a system that may have its own security posture. A compromised account with extensive application consents is, in effect, a compromised account with access to every platform those consents touch.

‍

CIS Control 10 (Malware Defenses) has an Access dimension in the context of ransomware. The destructive potential of a ransomware infection depends heavily on the access rights of the account under which it executes. An infostealer that harvests credentials from a shadow admin account creates a far more catastrophic ransomware scenario than one operating on a restricted user account. Access pillar analysis that identifies and remediates shadow admin rights directly reduces the worst-case ransomware impact.

‍

CIS Control 11 (Data Recovery) and Control 18 (Penetration Testing) both benefit from Access analysis. Ransomware actors in 2024 routinely targeted backup systems before encrypting production data, a tactic that requires either admin access or the ability to escalate to it. Access pillar visibility into who has rights to backup infrastructure is foundational to the recovery assurance that Control 11 requires. And social engineering penetration tests, the human-layer component of Control 18, produce their most valuable findings when they target accounts identified by the Access pillar as having disproportionate blast radius.

‍

The Unified View: Four Pillars Across 18 CIS Controls

Each of the four HRI pillars addresses a distinct dimension of human risk, and each maps to a defined set of CIS Controls. Together they provide complete coverage of the human attack surface.

The table below presents the complete mapping. Every one of the 18 CIS Controls carries a human risk dimension, and each is assigned to its primary HRI pillar alongside the specific human risk focus that dimension demands. Some controls appear across more than one pillar, reflecting the reality that the strongest security programs address human risk from multiple angles simultaneously rather than treating each control as a standalone obligation.

A Practical Implementation Path to Apply HRI to CIS Controls

Understanding the conceptual alignment between HRI pillars and CIS Controls is a foundation. Turning it into a security program requires sequencing. The following timeline reflects a practical approach to building HRI capability across the four pillars while simultaneously progressing through CIS Implementation Groups.

‍

‍

BASELINE ALL FOUR PILLARS SIMULTANEOUSLY

CIS IG1 foundation: Controls 1, 2, 5, 9, 14

Identify the highest-value individuals and roles in your organization. Deploy dark web monitoring to establish baseline Hygiene exposure. Run an initial phishing simulation for Awareness baseline. Audit admin roles and application OAuth consents for Access baseline. This gives you a starting human risk picture across all four dimensions before any remediation activity begins.

‍

CLOSE THE HIGHEST-RISK GAPS

CIS IG2 expansion: Controls 4, 6, 7, 8, 12, 16, 17

Prioritize Hygiene remediation for accounts scoring highest on both Target Value and Hygiene risk: MFA enrollment, credential rotation for dark web-exposed accounts, and dormant account deprovisioning. Begin behavior-triggered Awareness training for employees who failed phishing simulations. Conduct shadow admin discovery and document Access blast radius for all privileged accounts. Integrate HRI signals with audit log management to establish behavioral anomaly baselines.

‍

BUILD CONTINUOUS INTELLIGENCE LOOPS

CIS IG2/IG3: Controls 3, 10, 11, 13, 15, 18

Establish continuous HRI scoring with automated alerting for high-risk individuals. Extend Target Value analysis to third-party vendors with elevated access. Commission a social engineering penetration test specifically targeting accounts identified as high-risk by Access pillar analysis. Integrate HRI reporting with board-level governance. Map HRI trend data to CIS compliance documentation for audit readiness.

The Metrics That Actually Matter

HRI metrics provide a comprehensive picture for organizations to strengthen their human layer. The threat actors who target organizations in 2025 are not waiting for annual compliance reviews to identify their opportunities. They are conducting continuous reconnaissance, refining their target selection, and adapting their techniques to the specific human vulnerabilities present in the organizations they have chosen.

‍

The only adequate response to that level of continuous adversarial intelligence is continuous defensive intelligence of the same quality. Want to learn more about HRI and how to turn human risk into organizational resilience? Explore the demo hub to see our security awareness solution and the wider human risk suite in action.

‍