Unquantified Human Risk

​​Unquantified Human Risk in the context of cybersecurity refers to the portion of an organization's overall threat exposure stemming from human vulnerabilities that has not been formally measured, assessed, or translated into a tangible, actionable risk metric. It represents the gap between internal technical security posture and the unknown external liabilities created by employees, executives, and third parties.

Nature of the Unquantified Risk

This risk is often overlooked because traditional security tools focus on technical flaws (such as misconfigured firewalls or missing patches) rather than on human factors outside the network perimeter. The risk remains unquantified when organizations fail to track the following external data points:

1. Unknown Exposure of PII and Credentials: The organization is unaware of how many employee credentials (usernames, passwords) have been leaked in external data breaches, making it impossible to calculate the risk of a mass credential-stuffing attack.

2. Social Engineering Mapping Potential: The organization has not assessed the amount of publicly available personal and professional information (PII, roles, aliases, travel schedules) that an attacker could easily harvest to build a convincing social engineering profile for a spear-phishing or pretexting attack.

3. Human-Enabled Technical Flaws: The organization fails to assess the risk posed when employees upload corporate data, proprietary code (including API keys and sensitive configuration files), or internal documents to public platforms such as code repositories or cloud storage services.

Significance

The challenge of Unquantified Human Risk is that it prevents security leaders from accurately measuring the Human Attack Surface Delta and properly allocating resources. Since the risk hasn't been quantified, it often receives inadequate budget and attention, leaving it as the silent, primary vector for high-impact breaches such as account takeovers and executive extortion.

ThreatNG directly addresses Unquantified Human Risk by establishing a quantifiable external security posture for the human element, effectively transforming unknown liabilities into measurable, actionable intelligence. ThreatNG's outside-in visibility enables an organization to finally measure the Human Attack Surface Delta and properly prioritize remediation efforts.

ThreatNG's Role in Quantifying Human Risk

External Discovery

ThreatNG performs purely external unauthenticated discovery using no connectors. This is the critical first step to gain visibility into the unquantified risk, as it maps the entire external digital footprint, including human-related exposure.

• Example of ThreatNG Helping: The discovery process uncovers Archived Web Pages. An attacker maps employee roles by finding old directories or press releases in archives that contain Emails and User Names. ThreatNG identifies this historical PII first, alerting the organization to the exposure and enabling them to begin the quantification process.

External Assessment

ThreatNG uses specialized security ratings to quantify the severity of human-centric risks, turning nebulous "human risk" into concrete, measurable scores.

• Data Leak Susceptibility Security Rating (A-F): This rating is heavily influenced by Compromised Credentials.

• Example in Detail: ThreatNG continuously tracks and assesses all Compromised Credentials associated with the organization's corporate emails. If 500 employee passwords are found leaked, this unquantified liability is transformed into a quantifiable risk—a poor Data Leak Susceptibility rating—directly proportional to the volume of exposed PII. This metric allows the security team to budget for a mitigation campaign.

• BEC & Phishing Susceptibility Security Rating (A-F): This rating is based on findings like Email Format Guessability and Domain Name Permutations.

• Example in Detail: ThreatNG's Email Intelligence confirms the organization has high Email Format Guessability. This human-enabled design flaw, which facilitates Social Engineering Reconnaissance Mapping, is quantified with a poor rating (e.g., "F"), providing the organization with a clear, measurable metric for a previously unknown risk.

• Cyber Risk Exposure Security Rating (A-F): This rating assesses human-enabled technical exposures, such as missing WHOIS privacy.

• Example in Detail: ThreatNG finds an executive's personal PII is exposed due to missing WHOIS privacy. This is an unquantified human risk because the executive's action exposes corporate assets to Executive Extortion Risk. The poor rating immediately quantifies this PII exposure risk.

Reporting

The reporting capabilities are critical for translating the quantified human risk into a format that drives resource allocation.

• Security Ratings Reports (A through F): The trend in security ratings over time directly measures the reduction in Unquantified Human Risk. If the Data Leak Susceptibility rating improves from an "F" to a "C," it proves a successful reduction in the human attack surface.

• MITRE ATT&CK Mapping: ThreatNG automatically correlates human-centric findings (such as leaked credentials) with the Initial Access technique, translating unquantified risk into a strategic threat narrative that justifies budget to the boardroom.

Continuous Monitoring

Continuous Monitoring of the external attack surface ensures that the Human Risk remains quantified in real time, preventing it from reverting to an unquantified state.

• Example of ThreatNG Helping: Continuous monitoring detects a new, large batch of employee PII and credentials posted on an online file-sharing site. This immediate detection quantifies the latest spike in risk, preventing the exposure from remaining "unquantified" until a breach occurs.

Investigation Modules

ThreatNG's modules provide the tools to measure the inputs that constitute the Unquantified Human Risk granularly.

• Social Media Investigation Module: This module proactively safeguards against targeted attacks on executives and employees (the Human Attack Surface).

• Username Exposure: This conducts a Passive Reconnaissance scan for usernames across high-risk platforms like GitHub and Pastebin. An increase in the number of exposed usernames provides a quantifiable metric for the rise in the human attack surface.

• LinkedIn Discovery: This module identifies employees who are explicitly most susceptible to social engineering attacks. By generating this list, ThreatNG quantifies the organization's social engineering exposure risk.

• Dark Web Presence: This module groups Organizational mentions and Associated Compromised Credentials.

• Example in Detail: The Dark Web module detects chatter discussing a list of specific employee names and their corporate titles that have been compromised. This directly overcomes the lack of visibility by quantifying the active targeting of human assets.

Intelligence Repositories (DarCache)

The intelligence repositories provide real-world, high-confidence data to prove and quantify human risk.

• Compromised Credentials (DarCache Rupture): This repository is the definitive source for proving that employee credentials have been leaked, allowing the organization to calculate the most critical component of the Unquantified Human Risk: the volume of exposed passwords.

Complementary Solutions

ThreatNG's quantified human risk metrics can be used to optimize complementary internal tools and processes.

• Cooperation with Security Awareness Training Platforms: When ThreatNG's Data Leak Susceptibility rating shows an increase in Compromised Credentials, this quantified risk can be sent to a complementary Security Awareness Training Platform. This integration automatically triggers targeted, mandatory training modules for the affected employees, driving internal action using external, quantifiable metrics.

• Cooperation with GRC Platforms: The quantified security ratings (e.g., Data Leak Susceptibility) can be pushed to a complementary Governance, Risk, and Compliance (GRC) Platform. This ensures the GRC platform uses external, human-centric data to accurately inform the organization's risk register and compliance posture (e.g., HIPAA or GDPR), which often involves protecting employee and customer PII.