Struggling with Human Risk? Take a Page from Adtech

Security teams have spent decades and billions trying to curb human error — simulating phishing attacks, delivering training, and measuring clicks and completions. Still, human error is responsible for 60% of security breaches, according to Verizon’s DBIR report.

It’s enough to make security professionals throw up their hands: you can’t change behavior! The thing is, you can. Just look at adtech. Online advertisers can influence behavior at massive scale.

Under the hood, the fields share the same goal: get the right message to the right person at the right time, and drive action. Heck, if we can get someone to buy a pair of shoes, surely we can get them to secure their account.

Cybersecurity can learn a lot from adtech. Advertising succeeds not by broadcasting generic messages, but by delivering precise prompts based on real signals, context, and constant experimentation.

Human risk management should work the same way. Whether it’s adopting a security tool, handling data more safely, updating software, or clicking on fewer phishes, it’s about meeting employees where they are with timely, relevant interventions — like a 90-second video briefing or a 30-word Slack nudge.

The best adtech campaigns continuously test tone, timing, channel, and frequency to improve outcomes. Security teams should do the same: measuring what actually reduces risky behavior instead of what simply checks a compliance box.

The shift is simple: stop treating human risk as periodic training, and start treating it like a behavioral system — adaptive, targeted, and optimized over time. Just like adtech.