The Economics of Human Risk: Pricing Phishing Exposure for Executive Team

SHILPI MONDAL| DATE: DECEMBER 01,2025

Why Human Risk Deserves an Economic Model

For years, cybersecurity has quietly acknowledged a brutal truth: people are involved in most breaches. Verizon’s Data Breach Investigations Report (DBIR) has repeatedly found that the human element errors, social engineering, misuse is implicated in the majority of incidents. In recent editions, phishing and related social engineering (like business email compromise, or BEC) remain among the top initial attack vectors across industries.

Other analyses echo the point: in many sectors, phishing or pretexting via email accounts for more than two-thirds of breaches, and median time to click on a malicious email is often under a minute.

Academic and industry research now treat human behavior as a quantifiable cyber risk driver, not just a vague “weakest link.” Studies into phishing show how busy people are, their situation at the moment, also what’s going through their mind - these all affect if they’ll click or flag a scam email.

Put simply:

• Phishing is predictable at scale.

• The losses it causes are material and recurrent.

• The variables are measurable: who gets targeted, who clicks, who authenticates payments, who has sign-off authority.

  
  

That makes phishing perfect for an economic treatment: you can model it, assign probabilities, estimate financial impact, and optimize investment.

Why Executives Are the Highest-Value Human Risks

Leaders have money power, sway, or entry points so hackers aim right at them using custom scams like whale attacks or fake email traps.A hacked CFO might spark huge money troubles, legal trouble,or damage trust so could a breached CEO. A corrupt general counsel? That brings fines, scrutiny, even public backlash. Each role failing spreads ripple effects across the company’s stability.

Turning Human Behavior Into Priced Cyber Risk

Phishing risk can be modeled like any other financial risk:

Expected Loss = Probability × Impact

For executives, key scenarios include:

• BEC (fraudulent payments, vendor scam)

• Credential Theft (account takeover, lateral movement, ransomware)

• Sensitive Data Leakage (M&A documents, legal files)

• Reputational Damage (fake announcements, market manipulation)

  
  

Because impacts are large and measurable, phishing lends itself to quantitative loss modeling  not guesswork.

Measuring Human Susceptibility

Executive susceptibility is quantifiable using:

Behavioral Metrics

• Click and data-submission rates in simulations

• Reporting behavior

• Time-to-click / time-to-report

• History of near-misses or previous compromises

  
  

Control Usage

• Use of phishing-resistant MFA (FIDO2)

• Device hygiene

• Secure communication practices

  
  

Contextual Risk

• Travel

• Public visibility

• High-pressure business cycles

  
  

Executives can be categorized into low-, medium-, and high-risk tiers using this data, allowing for focused interventions.

Quantifying the Financial Impact of a Phished Executive

Impact assessment must include:

Direct losses: fraudulent transfers, recovery efforts, legal expenses

Operational impact: downtime, delayed filings, disrupted projects

Regulatory/legal costs: fines, investigations

Strategic + reputational impacts: lost deals, market reaction, leaked negotiations

Typical ranges:

• Generic mailbox compromise → $10K–$100K

• Executive compromise → hundreds of thousands to tens of millions

  
  

These can be modeled using EAL, VaR, and CVaR, translating cyber behavior into financial exposure the board understands.

Turning It into a Price: Phishing Exposure per Executive

Now you have:

• P(executive j is successfully phished) per year.

• Loss distribution if that happens.

  
  

You can calculate per-executive phishing exposure in monetary terms.

A simple formula

For each executive j and each scenario s (e.g., BEC, credential theft):

EALᵢⱼ = Σ [ P(attack_s against j) × P(success_s | attack_s, behavior_j, controls) × Expected Loss_s,j ]

Then sum across scenarios:

Total Phishing EAL for Executive j = Σ EALᵢⱼ

You might find, for example, that:

• CEO: expected loss from phishing = $900,000 per year

• CFO: expected loss from phishing = $1.4M per year

• CHRO: expected loss from phishing = $350,000 per year

• CIO: expected loss from phishing = $600,000 per year

  
  

These numbers are illustrative, but they give the board a price tag for each role’s phishing exposure.

Building a “Human Risk Premium”

You can also express this as a risk premium:

• Imagine what cyber insurance would charge just for covering phishing-related incidents involving executives.

• That implicit premium is your phishing risk price for the executive team.

  
  

This framing is powerful because it:

• Converts “training fatigue” into capital and insurance costs.

• Allows you to say, “If we reduce the CFO’s phishing exposure by 40%, we effectively ‘earn back’ $X in expected loss and lower our implied risk premium.”

  
  

Controls with ROI: Prioritizing What Reduces Loss the Most

Once risks are priced, investments can be made based on ROI.

High-ROI Controls

Technical

• Advanced email security

• FIDO2 authentication

• Strong payment/approval safeguards

• Data loss prevention (DLP)

  
  

Human + Process

• Executive-specific simulations

• “Never approve over email” rules

• Executive assistant training

• Clear crisis playbooks

  
  

Controls should be prioritized by how much expected loss they eliminate per dollar spent.

How to Present This to the Executive Team and Board

Numbers only matter if they drive decisions. Framing is critical.

Speak the language of finance and risk

Instead of “training completion rate,” talk about:

• Expected Annual Loss from executive phishing

• Worst-case scenario loss (VaR) over one year

• Risk reduction achieved by specific initiatives

• Cost per dollar of risk reduced

  
  

This aligns with guidance for board-oriented cyber reporting, which stresses a small set of quantified risk metrics such as expected and worst-case loss.

Use simple, credible visuals

Examples:

Heat map of phishing exposure by role

• X-axis: role criticality; Y-axis: susceptibility.

• Color: expected loss band.

  
  

“Before vs after” bar chart

• Show EAL per role before and after a specific control (e.g., hardware keys rollout).

  
  

Loss funnel

• Total phishing attempts → attempts reaching inboxes → clicks → compromises → monetary loss.

• Mark where controls and behaviors reduce volume or impact.

  
  

Narrative framing that works

• “We are not trying to blame individuals; we are pricing a risk that happens to flow through human behavior.”

• “Think of executive phishing exposure as a line item we can shrink through a portfolio of technical, process, and behavioral investments.”

• “This lets you compare cyber investments to other risk-reducing initiatives—hedging FX, diversifying suppliers, or holding more inventory.”

  
  

Implementation Roadmap for a Human Risk Pricing Program

Baseline & Inventory

• Figure out who’s on the list - especially top decision-makers or key players.

• Collect old info  like phishing drills, close calls, breaches, insurer forms, plus audit results.

• Track key boss-led workflows like payments, adding vendors, giving approval, or sharing info - swap "and" with commas or dashes where needed. Keep it short. Break up common phrases. Use everyday words. Match original line length closely.

  
  

Data Collection & Model Building

• Run realistic, executive-focused phishing simulations.

• Grab behavior info across half a year or more - maybe stretch into twelve months, depending how things go.

• Check real-world data - like DBIR or FBI IC3 - to compare how often attacks happen and how bad they are.

• Set up the model with basic expected-loss sheets - or go for something organized, such as FAIR.

  
  

Integrate Into Enterprise Risk & Planning

• Add phishing exposure metrics to the enterprise risk register.

• Align the data with business continuity, capital planning, and cyber insurance initiatives.

• Calculate the amount of money or insurance needed to cover losses caused by phishing.

  
  

Governance, Culture & Continuous Improvement

• Explain who’s in charge of the model - also mention how often tweaks happen.

• Promote a non-punitive culture that encourages quick reporting; even after clicking.

• Continuously refine probabilities and impact estimates as attacker methods, business conditions, and controls evolve.

  
  

Pitfalls and Ethical Considerations

Pricing human risk is powerful—and sensitive. Missteps can damage trust and create perverse incentives.

Avoid weaponizing the numbers

• Don’t turn per-executive EAL into a public scorecard or a shaming tool.

• Focus on role-level exposure and anonymized data where possible.

• Use named data only where it directly informs coaching or tailored protections.

  
  

Guard privacy and fairness

Limit who can see detailed behavioral metrics.

Clearly communicate:

• What is being measured.

• How it will be used.

• How long data is retained.

  
  

Watch for bias:

• Roles or teams that get more simulations might look “worse” if you don’t normalize properly.

• Executives in high-pressure roles may appear riskier simply due to volume and urgency—something you should address structurally, not just by blaming individuals.

  
  

Align with recognized best practices

Frameworks like NIST SP 800-50 and its updated guidance emphasize that awareness and training programs should be role-based, measurable, and aligned with organizational risk—not just generic e-learning.

Your economic model should support, not replace:

• Strong baseline controls.

• Continuous training and culture building.

• Clear accountability at the leadership level.

  
  

The Strategic Payoff: From “User Error” to Managed Risk

When you shift from talking about “people clicking links” to pricing human risk, several things change:

Cybersecurity joins the language of finance.

• You discuss expected loss, VaR, risk premiums, and ROI—not just alerts and patches.

  
  

Executives see themselves as risk owners, not victims.

• Their own behavior, approvals, and disciplines become levers to reduce a price tag the board cares about.

  
  

Investment decisions become clearer.

• Should you roll out hardware keys to the top 200 staff?

• Is a dedicated executive protection and email security suite justified?

• Does the cost of bespoke executive training pay off in risk reduction?

  
  

Culture improves.

• You’re not blaming “the human factor”; you’re managing an economically material risk that happens to be expressed through people.

• Phishing will never disappear. But by treating executive phishing exposure as a priced risk, not a moral failure, you give your organization a concrete way to shrink one of its most persistent and expensive vulnerabilities.

  
  

Citations:

1. 2024 Data Breach Investigations Report: Vulnerability exploitation boom threatens cybersecurity. (2025, April 9). News Release | Verizon. https://www.verizon.com/about/news/2024-data-breach-investigations-report-vulnerability-exploitation-boom?

2. Șandor, A., Tonț, G., & Simion, E. (2021). A Mathematical model for risk assessment of social engineering attacks. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4180646

3. 2017 Volume 1 Phishing Detection and Loss Computation Hybrid Model A Machine learning Approach. (n.d.). ISACA. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/phishing-detection-and-loss-computation-hybrid-model-a-machine-learning-approach?

4. Bouveret, A. (2019). Estimation of losses due to cyber risk for financial institutions. The Journal of Operational Risk. https://doi.org/10.21314/jop.2019.224

5. Wei, X., & Dong, Y. (2025). A hybrid approach combining Bayesian networks and logistic regression for enhancing risk assessment. Scientific Reports, 15(1), 26802. https://doi.org/10.1038/s41598-025-10291-9

6. Mayou, C. (2025, November 14). Board reporting for cybersecurity: What executives need to see (and why). Meriplex. https://meriplex.com/board-reporting-for-cybersecurity-what-executives-need-to-see-and-why/?

7. Dezeure, F., Webster, G., Trost, J., Leverett, E., Gonçalves, J. P., Mana, P., McCord, G., & Magri, J. (2022). Reporting Cyber Risk to Boards. https://www.eurocontrol.int/sites/default/files/2022-03/reporting-cyber-risk-to-boards-ce-20220322.pdf

8. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce. (n.d.). NIST Publishes SP 800-50 Revision 1 | CSRC. https://csrc.nist.gov/News/2024/nist-publishes-sp-800-50-revision-1?

9. FBI’s 2024 Internet Crime Complaint Center report released. (2025, April 24). Federal Bureau of Investigation. https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbis-2024-internet-crime-complaint-center-report-released?

10. Gallo, L., Gentile, D., Ruggiero, S., Botta, A., & Ventre, G. (2023). The human factor in phishing: Collecting and analyzing user behavior when reading emails. Computers & Security, 139, 103671. https://doi.org/10.1016/j.cose.2023.103671

11. Proofpoint. (2025, September 15). The Human Factor 2025: Vol. 1 Social Engineering | ProofPoint US. https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering?

12. (74) WhatsApp Business. (n.d.). https://web.whatsapp.com/

13. Nwafor, C. N., Nwafor, O., Brahma, S., & Acharyya, M. (2025). A hybrid FAIR and XGBoost framework for cyber-risk intelligence and expected loss prediction. Expert Systems With Applications, 299, 129920. https://doi.org/10.1016/j.eswa.2025.129920

14. Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. https://doi.org/10.6028/nist.sp.800-50

15. Mayou, C. (2025, November 14). Board Reporting for Cybersecurity: What Executives Need to See (and Why). Meriplex. https://meriplex.com/board-reporting-for-cybersecurity-what-executives-need-to-see-and-why/?

16. Cyber security: the human factor. (n.d.). https://www.iec.ch/blog/cyber-security-human-factor?Team,

17. R. (2025, November 13). Phishing Risk Mitigation: Strategies for Enterprise Resilience. RiskImmune Blog. https://riskimmune.ai/blog/phishing-risk-mitigation-strategies-for-enterprise-resilience?u

18. Mastering Cyber Risk Management: a framework for modern organizations. (n.d.). COMPASS. https://app.cyraacs.com/mastering-cyber-risk-management-a-comprehensive-framework-for-modern-organisations/?utm_source=chatgpt.com

19. What is Security Awareness? (n.d.). NEC. https://www.nec.com/en/global/solutions/cybersecurity/blog/210205/index.html?

20. The human factor in cyber security. (n.d.). Threatscape. https://www.threatscape.com/cyber-security-blog/the-human-factor-in-cyber-security/?

21. Redefining the Human Factor in Cybersecurity | Kaspersky official blog. (n.d.). Kaspersky Official Blog. https://www.kaspersky.com/blog/human-factor-360-report-2023/?

22. Platform Demo. (n.d.). [Video]. PhishingBox. https://www.phishingbox.com/resources/phishing-facts?

23. Mutlutürk, M., Wynn, M., & Metin, B. (2024). Phishing and the Human Factor: Insights from a Bibliometric Analysis. Information, 15(10), 643. https://doi.org/10.3390/info15100643

24. Wilson, M., Stine, K., Bowen, P., & National Institute of Standards and Technology. (2009). Information Security Training Requirements: A Role- and Performance-Based Model. In NIST Special Publication 800-16 [Report]. National Institute of Standards and Technology. https://www.govinfo.gov/content/pkg/GOVPUB-C13-PURL-LPS114006/pdf/GOVPUB-C13-PURL-LPS114006.pdf?