A key element to managing human risk is first identifying, prioritizing, and measuring those risks. Traditionally, measuring risk has focused on technical risk, such as vulnerability scans or penetration tests of operating systems, applications, and network. However, we now need the same ability to measure vulnerabilities in people and culture. Unfortunately, we cannot simply fire up a vulnerability scanner. Instead, we need to interact with people and measure things like their knowledge, attitudes, and beliefs of key security behaviors and company policies. In addition, we also need to measure more quantitative elements like what data are employees handling, how are they handling that data, and who are they sharing it with. To do that, we use tools like knowledge assessments and surveys. Since these tools takes peoples’ time, leadership can be resistant to such methodologies. Here are some approaches you can take to gain leadership support.