What is Moxso's Human Risk Intelligence (HRI)?
An introduction to HRI
Moxso's Human Risk Intelligence (HRI) engine is built around a four-layer closed loop: Signals → Intelligence → Action → Insights. Each layer feeds the next, turning raw data into automated risk responses and measurable program outcomes without requiring manual intervention at each step.
This article explains what each layer does and how they work together.
The four layers
Signals
The system collects real-time data from three sources simultaneously:
- Human behavior — how employees interact with emails, systems, and security tools (clicks, anomalies, patterns of inactivity)
- Organizational context — who the employee is: their role, access level, responsibility tier, and applicable compliance requirements
- External threats — live data on active attacks, data breaches, and emerging threats relevant to your industry and country, continuously tracked through OSINT (open-source intelligence).
Connecting all three is what makes the Intelligence layer meaningful. A risky click means something different depending on who clicked, what they have access to, and what active threats are happening in your country and industry.
Intelligence
Every incoming signal is classified against Moxso's Risk Framework — 16 risk categories that cover the full range of human security behavior. The system then weights each signal based on:
- The individual's role, access level, and responsibility tier
- Your organization's industry and compliance requirements
- Your configured training strategy (risk-based, compliance-based, or group-based)
- What active threats are happening in your country and industry
The result is a risk picture that updates continuously at the individual, team, and organization level.
Action
Once a risk calculation is complete, the system selects a proportionate response automatically. The possible actions are:
|
Action |
When & how it applies |
|---|---|
|
Phishing simulation |
Matched to active threats in the current threat landscape |
|
Training |
Calibrated to the individual's current risk profile |
|
Escalation |
Routed to a manager or SOC when risk warrants human review |
|
Resilience score update |
Applied at org, team, and individual level after every intervention |
|
Recommended intervention |
Surfaced for cases where human judgement is appropriate |
|
No action |
When risk doesn't warrant intervention, the system knows when to do nothing |
The system selects and triggers the response automatically based on risk calculation.
Insights
The Insights layer is what security leads, compliance officers, and boards see. It answers three questions across three lenses:
- Human risk — individual and aggregate risk levels, high-risk users, risk velocity, and exposure.
- Organization — industry benchmarks and active threats by industry and country.
- Program — whether your security program is working: action effectiveness, compliance audit tracking, and progress against security goals.
These three lenses feed into the Resilience Score, a single, continuously updated measure of whether risk across your organization is going up or down.
What the HRI engine is built to do
Most human security programs are built to make employees aware. Human Risk Intelligence is built to go further, using actual behavior data to understand where awareness is lacking and what each employee specifically needs to improve. The goal is not awareness for its own sake, but a measurable reduction in human risk.
That question changes what the system measures, what it acts on, and what it reports. Instead of tracking who completed training, it tracks whether behavior is actually changing. Instead of treating risk as evenly distributed across your organization, it builds an individual risk profile for each person, continuously updated based on what they do, what threats are active, and where they sit in the organization.
The output isn't a completion report. It's a Human Resilience Score: a live, per-person measure of whether risk is going up or down.