How Compass Computing Group used

Human Risk Management (HRM)

to tangibly reduce risk for a large non-profit

Alt Text


  • Identify which employees are at high risk of being
    compromised in a phishing attack
  • Obtain an ongoing view of which employees are
    vulnerable to phishing attacks
  • Deliver regular security awareness training that will
    help drive user resilience to phishing attacks, as well
    to improve general security behaviour
  • Demonstrate compliance with ISO 27001 Clause 7.2.2


Security Awareness Training

  • Analyze each users’ current security strengths and
    weaknesses using a Gap Analysis Quiz.
  • Using the results of the quiz, each employee will
    receive a new security awareness course every four
    weeks, with courses being prioritised to address their
    weakest areas first.
  • Custom compliance courses will also be delivered
  • Simulated Phishing Exercises
  • Dark Web Monitoring

Simulated Phishing Exercises

  • At least one phishing simulation will be launched
    every six months, in order to test the impact of the
    training and to identify any high-risk users.
  • Instant follow-up training will be deployed to any
    employees who compromise their credentials during
    a phishing simulation, in order to reduce risk as soon
    as possible.

Dark Web Monitoring

  • Ongoing dark web monitoring will take place in order
    to identify and avoid early-stage attacks that
    leverage stolen employee credentials, like
    compromised usernames and passwords.



  • Construction


  • 250 employees


  • August 2020


  • Member of staff was
    compromised in a ‘Gift
    Card’ phishing attack
  • Current security
    awareness training
    materials are unengaging
    and ineffective
  • Current security
    awareness training
    approach is too time-consuming


In order to measure the impact of the customer’s Human Risk Management program, key risk metrics were taken both at the very start of the program and after seven months of activity.

Below, you’ll see the ‘company’ risk score (all risk metrics fused together), a ‘training’ risk score, (a combination of course grades and course completion percentages), a ‘phishing’ risk score (the collated opened, clicked and compromised rates during phishing simulations) and a ‘dark web’ risk score (based on how much of your business’s sensitive data is exposed on the dark web).


Having conducted seven months of security awareness training, periodic simulated phishing exercises and dark web breach scanning, the customer’s overall human risk score was reduced by 152 points – moving them from ‘Medium’ risk to ‘Low’ risk.

The phishing risk within the business drastically decreased by 100 points, meaning that the employees were considerably better at spotting, avoiding and reporting suspected attacks.

Alt Text
Alt Text


In order to reduce human cyber risk, it was important to ensure that employees were completing their security awareness courses as soon as possible and reaching the minimum pass score of 80% in their follow-up questionnaires.

To ensure this happened, the completion rate and course grades were tracked for every employee, with automatic course reminder emails being sent out to any staff members who hadn’t completed their course within a few working days.

The ongoing phishing simulation results were also tracked to ensure that the security awareness training courses were having the desired impact.

Alt Text

Out of the 250 staff, 97% per cent started and completed their courses, taking on average just three days to finish their course after enrolment, whilst scoring, on average, 92%.

As seen in the Phishing Simulation Performance table, employees were much less likely to open, click or become compromised by a phishing simulation.

If you need help reducing your cybersecurity risk, contact us today!