People are usually the weakest link in the security chain. Now, a year-old cybersecurity startup is giving executives a way to quantify and communicate those risks.
This week, San Francisco-based
Fable Security rolled out a dashboard that will allow CISOs and other company leaders to gather metrics that can explain and address human-based behaviors and exposure points at the organization, department, and individual levels that can lead to real-world security incidents.
The vendor’s board-ready human-risk reporting tool addresses a significant gap in ongoing efforts to curb individuals’ risky behavior, like simulation and threat awareness training, can’t, according to Fable co-founder and CEO Nicole Jiang.
“Even after companies spent billions on security training, human error is the number-one cause of incidents, not because people are the problem, but because the approach is outdated,” Jiang told MSSP Alert. “Annual training, phishing simulations, and click metrics no longer cut it. At Fable, we’re taking a page from adtech: a closed-loop system that analyzes employee data, pinpoints risk, and delivers bite-sized, hyper-targeted interventions in the moment, right where people work.”
It could help drive changes in behavior, from a 60% drop in the exposure of personally identifiable information (PII) in cleartext, 86% fewer phishing close, 99% compliance with updating operating systems, and a 97% faster response to credential compromises, she said.
Giving CISOs Something to Grab Onto
It could also provide some relief to CISOs, who she said are embarrassed by the risk metrics they now have to share with boards of directors, adding that metrics like failures on phishing tests and completion of training don’t drive action or offer a complete story.
“With Fable’s board-ready reporting, CISOs can now show a single, explainable risk score across the organization, drill into the factors behind it, understand emerging threats, and launch targeted campaigns that actually change behavior, and prove the whole thing with metrics,” said Jiang, who founded Fable with Chief Product Officer
Sanny Liao after stints with such companies as Abnormal AI and Microsoft.
The company officially launched in July,
backed by $31 million in seed and Series A funding.
An Ongoing Concern
In its
2024 Voice of the CISO report,
Proofpoint found that “human error continues to be perceived as the Achilles' heel of cybersecurity,” with 74% of CISOs pointing to it as their most significant vulnerability. More than 80% of the 1,600 surveyed said that human risk – negligent employees, in particular – is the key cybersecurity concern since the last two years.
That said, Proofpoint researchers
wrote that “there's growing optimism in the role of AI-powered solutions to mitigate human-centric risks, reflecting a strategic pivot towards technology-driven defenses.”
This has
fueled a global human risk management market that
Frost and Sullivan analysts expect will grow from $2.88 billion in 2024 to
almost $6 billion by 2028.
“There’s growing momentum around human risk management because the threat landscape has outgrown traditional approaches,” Jiang said. “AI is fueling attacks and making scams more targeted and believable. At the same time, employees have increasingly complex work lives – hybrid offices, remote work, partner ecosystems, multiple communication tools, SaaS sprawl, and often unclear protocols for keeping data and systems safe.”
Moving Beyond Training
At the same time, boards and regulators want proof that CISOs are reducing human risk and not simply checking off compliance boxes.
“Together, these forces are driving security leaders to move beyond annual training toward more continuous, data-driven approaches that measure and actively manage human behavior as a core part of cybersecurity resilience,” she said.
MSSP Aren't Immune
MSSPs are also feeling this pressure. They are protecting clients from complex cyber threats, but human risk “has long been a blind spot for them, and as people become a constant vulnerability in modern attacks, visibility into that layer is no longer optional,” the CEO said.
Fable’s dashboard delivers a unified and explainable view of human risk to MSSPs that span their customer base. That includes risk scores and the behavioral factors that fuel them, allowing MSSPs to measure, prioritize, and reduce such risks through greater visibility, response, and proof of impact.
The technology enables CISOs and MSSPs to view metrics at both the enterprise and individual levels that CISOs and other executives drill down into, including areas such as authentication, device security, and generative AI use. All of this is factored into a human risk score. Fable’s offering also delves into emerging threats, including who can be a target and why, and then recommends interventions to reduce the company’s exposure and build resilience.
The Role of AI
AI is a core element of the vendor’s technology, from creating insights about observed and mitigated behaviors, showing threats, targets, and defense playbooks, and developing heat maps of social engineering attack techniques.
“We use machine learning to synthesize risk, and generative AI to deliver hyper-targeted, personalized videos in the moment to people right where they are,” Jiang said. “That relevance and immediacy are what differentiate us from generic training. Simply put, we couldn’t do it at scale without AI.”
