Security decisions that employees make comprise the bulk of enterprise-wide vulnerabilities increasing the exposure to cyber risk. The security industry’s traditional approach to mitigating this risk is predicated on the assumption that individuals will make the right security decisions if they have enough training and fear the consequences. Years of security research indicates otherwise. This briefing will share key insights from security research studies and analysis of several dozen remediation campaigns to more than a million employees across industries. We will show why industry’s traditional approaches to reducing employee risk are ineffective. Instead, our findings highlight innovative, data driven techniques that are proven to reduce employee risk; why viewing this problem with a new lens is most effective and provide concrete examples of how security teams can leverage these approaches to effectively reduce employee risks such as phishing, password security, malware, data handling, and privilege abuse in their own organizations.