4.7/5

Customers rate us on G2

Introducing The Human Threat Map: A Tool for Mapping and Defending the Human Perimeter

CategoryHuman Risk Management

ByOliver Simonnet

Date29 April 2025

Read time12 minutes

Back to Blog

TLDR

The cyber security perimeter has evolved many times over the years, and we’re now at a point in time where it is shifted once again. We have reached an era where defence is no longer just about protecting our networks, endpoints, cloud systems or SaaS applications, but about protecting our people. Attackers now target employees directly, relying on their ability to exploit human behaviour to gain access, rather than technical vulnerabilities.

To help organisations understand and contextualise how human behaviours create risks and enable threats, we have released our Human Threat Map to the public. This tool will serve as a reliable resource to help security teams build effective detections, mitigations, and interventions that defend or human perimeter.

Explore it here: www.humanthreatmap.com

Times They Are A-Changin’

It’s 2025 and despite the many years of continued investment in security awareness training, human error remains a dominating weakness in cyber security. The 2024 Verizon DBIR report revealed that 68% of breaches still involve human mistakes. While training efforts over the years have improved general user awareness, cyber-attacks - like phishing, social engineering, and AI-powered deception – continue to evolve much faster than our users can adapt.

Furthermore, the 2025 Crowdstrike Global Threat Report found that 79% of detected attacks in 2024 were malware-free, indicating an increasing reliance on user manipulation, credential theft, and direct system manipulation over traditional malware attacks.

To understand why traditional defences are struggling and how we should adapt, we need to examine how both attack and defence strategies have evolved over time:

~1990s - Secure the Network Perimeter

A Castle-and-Moat model was adopted where we focused on protecting our network and trusting everything inside. However, attackers adapted and started to focus on phishing, vulnerability exploitation, and exposed resources to get through the perimeter.

~2000s – Secure the Perimeter and Endpoints

As attackers started to shift their focus to our endpoints. We started to adopt endpoint protection solutions such as Antivirus (AV), Intrusion Detection Systems (IDS), and early endpoint security tools. Phishing was a primary attack vector which lead to an increased need for security awareness training.

~2010s – Secure the Endpoints and User Identity

As Endpoint Detection and Response (EDR) improved and attackers pivoted from malware execution to credential theft and identity compromise. In response, defence shifted toward identity protection, Privileged Access Management (PAM), and Multi-Factor Authentication (MFA). The concept of Zero Trust gained traction and awareness training reached its peak, attempting to equip users with the knowledge to recognise and respond to evolving threats.

~2020s – Secure the Users

The post-COVID remote work shift and AI boom introduced new risks. Employees, now working from home on personal devices in less-secure environments, gained a false sense of security and became the prime target for behavioural exploitation and AI-driven deception. Deepfake phishing, automated social engineering, and AI-powered attacks became even more sophisticated. This rendered traditional security awareness training ineffective, as users simply could not – and cannot - detect or defend against every new threat variation that emerges.

The Human Perimeter

Threat actors have continued to adapt to the various security perimeters we’ve defined and spent years reinforcing. Now, attackers will increasingly attempt to bypass network defences, endpoint protections, and even identity safeguards by going directly after the human element at the forefront of it all.

AI-powered phishing, deepfake social engineering, and behavioural manipulation tactics will make it nearly impossible for users to recognise or stop every attack. In response, security must evolve once more, moving beyond training and toward proactive Human Risk Management (HRM).

HRM is not about increasing training or phishing simulations. Instead, it is about building an intelligent, adaptive shield around employees that automatically detects risks and intervenes in real-time, preventing attacks before they succeed. Because, at the end of the day, we cannot expect employees to recognise all the Tactics, Techniques, and Procedures (TTPs) that threat actors may use against them. And if they could, well, they should probably get a job in cyber security!

Security cannot be the employee’s responsibility. The responsibility to protect our employees is ours, our security teams, our security partners, and our security solutions. This is where the Human Threat Map comes in. It provides organisations with a clear view of human-centric cyber threats, helping understand the risks and build effective real-time defences and interventions to protect our employees from attacks they can’t see coming.

CultureAI’s Human Threat Map

The Human Threat Map (HTM) is a resource we are releasing to help organisations understand and mitigate human-centric cyber security risks enabled by human behaviours. The intention behind this framework is to help security teams:

Identify threats: List and understand relevant human-centric threats.
Understand behaviours: Analyse risky user behaviours that enable these threats.
Deploy interventions: Proactively intervene to prevent threats from becoming breaches.

The map currently documents over 80+ types of threats and 100+ types of user behaviours. Each providing a specific opportunity to consider and deploy interventions.

The Human Threat Map can be accessed at: www.humanthreatmap.com

How the Human Threat Map is Organised

When accessed for the first time, the map will organise threats into a MITRE-esque layout. This is broken into nine categories that the industry is already familiar with: Recon, Initial Access, Persistence, Defence Evasion, Credential Access, Discovery, Collection, and Impact.

When navigating them, each of these categories can be expanded to show their respective threats:

The map layout can also be changed to organise threats into multiple specific security domains: Identity, MFA, Phishing, Data Security, Endpoint Security, SaaS, MDM, Hardware Management, Artificial Intelligence, Encryption, and Instant Messaging.

This view will help teams focus on the threats that are relevant to their responsibilities, while also illustrating the complexity of human risk management, highlighting why training alone cannot be relied on to protect our employees, systems, and resources.

Expanding an Individual Threat

Information regarding each threat can be found by selecting the threat tile, expanding it to display:

A brief description of the threat.
A number of high-level examples to contextualise it.
A listing of relevant human behaviours/risks that enable the threat.
References to real world incidents involving the threat for further contextualisation.

This structure transforms the HTM into more than just a knowledge base, it becomes a practical tool for security teams to develop targeted defences.

A Framework for People, not Systems

“How is this different from existing frameworks like MITRE ATT&CK?” – I hear some of you asking.

The Human Threat Map is not intended to replace or compete with existing frameworks such as MITRE ATT&CK, ATLAS, or Push SaaS Attack matrix. Instead, it is intended to complement them, with each framework serving a distinct purpose and addressing its own specific set of challenges.

MITRE ATT&CK helps you defend against traditional threat actors using well-known technical tradecraft and supports the implementation of conventional detection and response controls. ATLAS is ideal for understanding how attackers target and exploit AI technologies. The Push SaaS Attack Matrix is great if your focus is on identity-based threats and protecting SaaS environments.

The Human Threat Map is designed to focus purely on threats that succeed through human decision-making, enabling the creation and deployment of interventions triggered by these decisions, shifting defensive thinking as close to the user as possible.

This is intended to support teams adopting proactive Human Risk Management (HRM) strategies and looking to build defences at the human-layer. This is where behaviour-based interventions can trigger and prevent risky employee behaviours from escalating active threats into active breaches - where more traditional detections, controls, and services need to step in.

Using the HTM to Introduce New Defences:

Let’s consider how the Human Threat Map (HTM) could be used in practice, using a hypothetical breach scenario. This will illustrate how Human Threat Mapping enables security teams to identify, analyse, and mitigate human-centric cyber threats.

The Attack Scenario

An organisation suffers a security compromise in which attackers carry out the following key actions:

The attackers conducted open-source intelligence (OSINT) by scraping social media platforms to identify key employees within the organisation - creating a list of known developers.
After gathering intelligence on employees and the SaaS platforms used by the company, the attackers created a poisoned SaaS tenant. Using this they sent legitimate invitation requests to the identified developers by leveraging the SaaS platform’s built-in invitation functionality - bypassing phishing controls and email filters.
Once a developer accepted the invitation, they were redirected to a phishing page disguised as a Single Sign-On (SSO) portal. This was achieved using SAMLJacking – compromising developer credentials.
The attackers then launch an MFA Fatigue attack (also known as MFA bombing or MFA spamming), repeatedly prompting the victim for authentication approval until they eventually accept - bypassing MFA.
Once inside the environment, the attackers scraped the internal Slack instance and company emails for valuable information – Collecting sensitive data.
The stolen data was then exfiltrated and leaked online - harming the organisation’s reputation.

Using the Human Threat Map to Mitigate Attacks:

With an example breach in mind, we can examine how the HTM can be used to understand and defend against such attacks. For each threat, as a security team we want to understand how the attack was executed, what vulnerabilities it exploited, and analyse relevant behaviours to identify user actions that contributed to its success.

To then mitigate these threats and risks, Human Risk Management (HRM) requires proactive interventions rather than reactive measures. This can take many forms, including:

Fixing or undoing the user’s action in the moment.
Nudging the user, providing them with context and awareness of what is happening.
Automatically making changes and adapting to the active threat.
Providing just-in-time coaching to conveniently increase awareness.
Blocking the behaviour in its tracks before the attack can even be facilitated.

Step 1: Identify Known Threats

The first step in Human Threat Mapping is to identify and analyse the threats that were exploited or that may be involved in a future attack. Using the Human Threat Map, we can systematically trace each phase of the incident back to its corresponding threat category. This allows security teams to:

Understand where each action sits within the overall attack lifecycle.
Contextualise the threat with real-world examples.
Access references and further research to deepen their understanding.

This structured approach ensures that threats are not only recognised but fully understood in the context of how attackers operate and what human-behaviours they exploit.

Step 2: Understand Risky Human Behaviours

Once the threat itself is understood, next we can analyse the behaviours that enabled it. The HTM facilitates this as every threat is linked to multiple behaviours / risks - each representing an opportunity to intervene before an attack succeeds.

When considering the Tenant Poisoning aspect of the attack scenario, the HTM shows that one of the enabling human risks for this threat is employees joining new SaaS tenants. This is a common action, particularly for new employees who are in the middle of their onboarding process within an organisation.

By recognising this as a high-risk behaviour, security teams can target it with proactive interventions rather than relying solely on post-incident responses or traditional phishing defences.

Step 3: Develop and Deploy Interventions

Once a relevant risk behaviour is identified, automated interventions can be deployed via a Human Risk Management platform, like CultureAI. These interventions can be tailored based on audience, triggers, and specific risk scenarios.

In terms of interventions related to the joining of new SaaS tenants, there are multiple approaches that can be taken:

Fix: Automatically remove the user from any unauthorised SaaS tenant they have joined.
Nudge: Display a real-time warning when an invitation is received, informing the user that the tenant is unrecognised and advising them to ignore it.
Adapt: Implement a policy change that prevents users from linking their accounts to unapproved tenants altogether.
Coach: Deliver just-in-time security training, educating users about poisoned tenant attacks when they engage in risky behaviours.
Block: Prevent the user from accepting the invitation altogether, stopping the attack in its tracks at the earliest stage.

To maximise effectiveness, these interventions should not be deployed in isolation but rather combined into playbooks that automatically trigger in response to specific behaviours and scenarios. For example, interventions can be customised for different teams or employee risk profiles, activated by specific events such as users receiving or clicking on SaaS tenant invitations, and dynamically updated based on risk appetite, user behaviour patterns, and the frequency of occurrences.

Conclusion

The cyber security landscape has evolved, and so must our approach to defence. Attackers are no longer just exploiting systems; they are exploiting people - more than ever.

Relying on awareness training alone is no longer enough to tick the HRM box. Users cannot be expected to detect and counter every emerging cyber threat. We must continue to evolve from reactive education and controls to proactive defence and intervention.

Human Risk Management (HRM) is the place for this! By adopting HRM solutions and using the Human Threat Map (HTM), organisations can:

Move past training and improve their active defence mechanisms.
Identify and understand the risky human behaviours that enable cyberattacks.
Deploy automated interventions that protect users before threats escalate into breaches.

Security is not the employee’s responsibility-it is ours. It is our job, as security professionals, to build the defences that protect people, not to just train them to protect themselves.

The Human Threat Map is there for us all to use!

Go explore it here: www.humanthreatmap.com

Learn more about automated interventions here