Enterprise-grade Security Culture Engineering • Human Risk Quantification • Training Effectiveness • ROI Modeling • Program Governance
A complete 20-lab hands-on program engineering series focused on building, measuring, optimizing, and governing enterprise security culture initiatives — from individual behavioral risk scoring to executive-level maturity assessment and financial justification.
This repository demonstrates practical capability across:
- ✅ Human Risk Engineering (KRIs, scoring models, risk insights)
- ✅ Behavioral Security Modeling (Fogg B=MAT → risk mapping + interventions)
- ✅ CTI-Driven Prioritization (normalization, scoring, triage outputs)
- ✅ Training Engineering (content pipeline, distribution, validation)
- ✅ Training Effectiveness & ROI (Kirkpatrick L1–L4 + business metrics)
- ✅ Security Culture Measurement (maturity scoring + benchmarking)
- ✅ Dashboards & Reporting (Flask/D3/Dash, JSON/CSV/MD outputs)
- ✅ Program Governance & Communication (multi-year planning + engagement tracking)
Portfolio positioning:
Security Practitioner → Security Culture & Capability Engineer
A structured 20-lab program simulating real enterprise workflows such as:
- Human risk assessment and prioritization
- Security awareness maturity benchmarking
- Role-based risk identification and strategic risk planning
- Training content production + delivery pipelines
- Quantitative evaluation (stats, effect size, ROI modeling)
- Culture analytics dashboards + executive KPI reporting
- Governance frameworks, communication systems, and long-term execution
- Final maturity assessment with packaged deliverables
All labs follow a consistent “evidence-first” structure:
commands.sh/commands.txt(executed commands)output.txt(captured outputs)scripts/(automation)reports/(generated artifacts)troubleshooting.md(+ optionalinterview_qna.md)
Click any lab title to navigate directly to its folder.
| Lab | Title | Core Focus |
|---|---|---|
| 01 | Introduction to Human Risk Assessment | SQLite-backed human risk scoring |
| 02 | Cyber Threat Intelligence Integration | CTI ingestion + prioritization |
| 03 | Behavioral Science in Cybersecurity | Fogg B=MAT risk modeling |
- Built normalized SQLite risk database
- CTI multi-source ingestion (curl → JSON/CSV)
- Risk prioritization matrices for SOC workflows
- Implemented B.J. Fogg Behavior Model
- Organizational risk scoring engine with exports
- Full test suite (unit + integration)
| Lab | Title | Core Focus |
|---|---|---|
| 04 | Security Awareness Maturity Model (SAMM) | Weighted maturity scoring |
| 05 | Role-Based Risk Identification | Attribute + CTI-based risk |
| 06 | Building Strategic Risk Plans | Risk–Behavior–Culture alignment |
| 07 | Benchmarking Your Security Program | YAML-driven maturity benchmarking |
| 08 | Building Training Content | Media automation pipeline |
- Config-driven maturity thresholds
- Risk classification engine (MINIMAL → CRITICAL)
- Heatmaps & strategic action plans
- Interactive assessment capture + trend tracking
- Full training pipeline (record → process → distribute → validate)
- HTML training portal generation
| Lab | Title | Core Focus |
|---|---|---|
| 09 | ADDIE Framework Automation | Modular training lifecycle orchestration |
| 10 | Kirkpatrick Evaluation System | Statistical ROI & impact measurement |
- Object-oriented ADDIE workflow engine
- JSON project persistence
- Paired t-tests + Cohen’s d
- ROI calculation engine
- Department benchmarking dashboards
- Executive-ready quantitative reporting
| Lab | Title | Core Focus |
|---|---|---|
| 11 | AI Personalization in Training | Adaptive lesson generation |
| 12 | Audience Segmentation | Risk-based messaging |
| 13 | Data-Driven Behavior Change | Trend analytics + D3 dashboards |
| 14 | Ambassador Program Design | Governance + candidate scoring |
| 15 | Measuring Security Culture | SQLite + Flask + D3 dashboard |
- User profile–based adaptive training
- AIDA-based targeted messaging
- Behavior progression analytics
- Ambassador scoring + program governance
- Flask API + D3.js interactive dashboards
- Executive KPI reporting artifacts
| Lab | Title | Business Layer |
|---|---|---|
| 16 | ROI of Security Culture Programs | Financial justification |
| 17 | Compliance vs Impact Metrics | Behavioral measurement |
| 18 | Communication Strategies | Cultural enablement |
| 19 | Executing Long-Term Programs | Multi-year governance |
| 20 | Final Security Culture Assessment | Enterprise maturity engine |
- 24-month ROI simulation dataset
- Payback period + break-even modeling
- Compliance vs impact correlation engine
- Automated email scheduler (12-month plan)
- 3-year strategic roadmap generator
- Weighted maturity scoring (Initial → Optimizing)
- Radar + bar visualization outputs
- Executive deliverable packager (ZIP-ready)
- ROI % calculation
- Cost reduction modeling
- Break-even & payback analysis
- Incident reduction forecasting
- Fogg B=MAT modeling
- Risk factor multipliers
- Trend analysis & correlation heatmaps
- Maturity threshold classification
- Config-driven scoring engines
- KPI framework design
- Governance structure modeling
- Multi-year milestone planning
- Media processing automation
- Workflow orchestration (ADDIE)
- Statistical evaluation (Kirkpatrick)
- Content validation pipelines
- Flask APIs
- Dash interactive dashboards
- D3.js visualization
- Executive summary generation
- Structured JSON/CSV exports
Assessment → Score → Visualize → Recommend → Present → Package
- Python Assessment Framework (config-driven scoring + maturity mapping)
- Realistic Dataset Generator (training, phishing, incidents, compliance, culture, surveys)
- Reporting Pack (executive + detailed reports + results JSON)
- Visualization Pack (bar + radar maturity charts)
- Presentation Pack (outline + talking points)
- Deliverables Packager (timestamped folder + ZIP bundle)
This lab represents a complete enterprise-grade security culture lifecycle checkpoint — the same style of quarterly/annual assessment used to:
- measure culture maturity using quantitative metrics
- generate executive-ready evidence
- identify priority gaps and targeted recommendations
- package artifacts for audits and stakeholder reviews
SIt’s a full workflow from data → scoring → maturity mapping → reporting → presentation → distribution.
Click to expand
- Ubuntu 24.04 LTS
- Python 3.x
- Object-Oriented Modular Architecture
- Virtual environments (venv)
- pandas
- numpy
- matplotlib
- seaborn
- plotly
- scipy
- SQLite3
- CSV
- JSON
- YAML
- Markdown
- HTML
- OBS Studio
- FFmpeg / ffprobe
- ImageMagick
- Bash scripting
- Flask
- Dash
- D3.js
- HTML5 / CSS3
Human-Risk-and-Security-Culture-Leadership-Program/
├── 🔹 Human Risk & Behavioral Security Engineering (Labs 1–3)
├── 🔹 Security Foundations – Awareness, Risk & Benchmarking (Labs 4–8)
├── 🔹 Training Engineering & Evaluation (Labs 9–10)
├── 🔹 Security Awareness Engineering (Labs 11–15)
├── 🔹 Security Culture Engineering & Program Governance (Labs 16–20)
└── README.md
Each lab follows a consistent professional structure:
labXX-<name>/
├── README.md
├── commands.sh
├── output.txt
├── scripts/
├── reports/
├── troubleshooting.md
└── interview_qna.md
- ✅ Reproducibility
- ✅ Structured documentation
- ✅ Automation clarity
- ✅ Interview readiness
- ✅ Executive reporting alignment
| Phase | Capability Layer |
|---|---|
| Human Risk | Individual scoring & behavioral modeling |
| Awareness | Structured training engineering |
| Evaluation | Quantified impact measurement |
| Optimization | ROI & metric correlation |
| Governance | Multi-year execution frameworks |
| Maturity | Enterprise-level scoring engine |
This forms a complete enterprise security culture lifecycle model.
By completing this repository, the following core competencies were developed:
- Human Risk Quantification (KRIs, scoring models, maturity mapping)
- Security Culture Measurement (indices, benchmarking, weighted scoring)
- Behavioral Risk Modeling (likelihood mapping, intervention design)
- Training Lifecycle Engineering (design → delivery → validation)
- Effectiveness & ROI Analytics (Kirkpatrick L1–L4, business impact modeling)
- Compliance vs Impact Analysis (gap detection, correlation insights)
- Executive Reporting & Communication (summaries, dashboards, presentations)
- Program Governance & Roadmapping (KPIs, multi-year planning)
- Automation-Driven Reporting (JSON outputs, charts, packaged deliverables)
This reflects enterprise-level security culture program engineering — from measurement to executive-ready reporting.
Enterprise-grade, execution-first lab series focused on building and measuring security culture at scale — from human risk scoring to training engineering, impact analytics, ROI modeling, and maturity-based program assessment.
This is practical implementation — not theory-only documentation.
Every lab includes scripts, datasets, reports, dashboards, and troubleshooting notes.
This portfolio demonstrates capability in:
- Human Risk Engineering
- Security Culture Quantification
- Data-Driven Awareness Programs
- Executive Communication & ROI Justification
- Training Engineering & Automation
- Governance & Long-Term Program Design
It reflects real-world enterprise requirements:
- Justifying security budgets
- Measuring behavior change
- Aligning training to risk
- Demonstrating financial impact
- Reporting to executive leadership
All labs were executed in controlled environments and simulate realistic enterprise security culture workflows:
- Executive-ready measurement (KPIs, maturity scoring, board-facing summaries)
- SOC-aligned prioritization (risk scoring, CTI enrichment, triage matrices)
- Enterprise training operations (content pipeline, distribution, validation, monitoring)
- Behavior change programs (segmentation, interventions, trend tracking, ambassador programs)
- Financial justification (ROI modeling, incident cost reduction, productivity impact)
- Governance & sustainability (multi-year roadmaps, quarterly milestones, continuous reporting)
This is practical implementation — not theoretical awareness documentation.
This heatmap reflects practical, hands-on implementation across all 20 labs in Human Risk & Security Culture Engineering.
| Skill Area | Exposure Level | Practical Depth | Tools / Frameworks Used |
|---|---|---|---|
| 🧠 Human Risk Engineering | ██████████ 100% | KRIs, scoring engines, org-level risk prioritization | Python, SQLite, pandas |
| 📈 Security Culture Measurement | ██████████ 100% | Weighted maturity models, threshold mapping, benchmarking | YAML, JSON, matplotlib |
| 🔍 Behavioral Risk Modeling | ██████████ 100% | Fogg B=MAT implementation, likelihood → intervention mapping | Python OOP, statistics |
| 🌐 CTI Integration & Prioritization | █████████░ 90% | Multi-source ingestion, normalization, risk matrix generation | curl, CSV/JSON pipelines |
| 🎯 Risk Segmentation & Messaging | █████████░ 90% | Role-based scoring, AIDA messaging, audience targeting | pandas, automation scripts |
| 🎓 Training Engineering | █████████░ 90% | Content pipeline (record → process → distribute → validate) | OBS, FFmpeg, ImageMagick |
| 🏗 Instructional Design Systems | █████████░ 90% | ADDIE lifecycle orchestration, phase validation, persistence | Python modular architecture |
| 📊 Training Effectiveness Analytics | █████████░ 90% | Kirkpatrick L1–L4, paired t-tests, Cohen’s d, ROI metrics | pandas, scipy, matplotlib |
| 💰 ROI & Financial Modeling | █████████░ 90% | Incident cost reduction, payback period, break-even analysis | numpy, financial modeling logic |
| 📡 Compliance vs Impact Analytics | █████████░ 90% | Correlation modeling, gap detection, maturity classification | seaborn, statistical analysis |
| 📢 Communication Systems Engineering | █████████░ 90% | Email template engine, 12-month scheduler, engagement tracking | JSON automation, HTML |
| 🏛 Program Governance & Roadmapping | █████████░ 90% | 3-year roadmap generator, KPI tracking, milestone engine | Python reporting modules |
| 📊 Dashboard & Visualization Engineering | █████████░ 90% | Flask APIs, Dash dashboards, D3.js visualizations | Flask, Dash, D3.js |
| 📦 Automated Reporting & Packaging | █████████░ 90% | Executive summaries, structured exports, ZIP deliverables | JSON/CSV/TXT automation |
- ██████████ = Implemented End-to-End with Automation, Reporting & Validation
- █████████░ = Advanced Practical Implementation with Real Data & Outputs
- ████████░░ = Strong Working Implementation with Applied Context
- ██████░░░░ = Foundational + Applied Engineering Exposure
This heatmap reflects program-level engineering capability, not isolated scripting tasks — covering:
Risk → Behavior → Training → Metrics → ROI → Governance → Maturity
git clone https://github.com/abdul4rehman215/Human-Risk-and-Security-Culture-Leadership-Program.git
cd Human-Risk-and-Security-Culture-Leadership-Program
cd labXX-nameEach lab contains its own README.md with setup, execution steps, scripts, reports, and troubleshooting guidance.
All labs were executed in controlled Linux environments designed to simulate real enterprise security culture engineering scenarios.
Environment characteristics:
- Ubuntu 24.04 LTS (primary lab environment)
- Python 3.x + venv for reproducible tooling
- Local web stacks for dashboards and portals (Flask, HTML/CSS, D3.js)
- Structured data pipelines using SQLite + CSV/JSON/YAML
- Controlled datasets (generated/simulated metrics for safe experimentation)
- Repeatable automation workflows validated via reports, exports, and visual evidence
Outputs were validated using analysis scripts, dashboards, plots, and packaged deliverables to reflect production-style reporting quality.
This repository is designed to support:
- Security Culture Program Engineering (measurement → insights → action)
- Human Risk Quantification & Benchmarking (risk scoring, maturity models, KRIs)
- Security Awareness Training Engineering (content pipelines, lifecycle frameworks)
- Training Effectiveness & ROI Modeling (Kirkpatrick evaluation + financial justification)
- Executive Reporting & Governance (multi-year roadmaps, KPI tracking, status automation)
- Blue Team / SOC-aligned risk prioritization (CTI enrichment, triage-ready artifacts)
All models, datasets, dashboards, and automation workflows are intended for defensive security engineering and security leadership enablement.
Execute responsibly within authorized lab environments only.
All activities were performed:
- In controlled lab environments
- Using simulated or generated datasets
- For defensive, educational, and program engineering purposes
This repository is designed for:
- Security leadership development
- Culture program engineering
- Risk quantification research
- Training automation modeling
This repository reflects hands-on engineering of measurable security culture programs — not theoretical awareness slides.
From:
Risk → Behavior → Training → Metrics → ROI → Governance → Maturity
A complete strategic security culture engineering framework.
If this project provides value, consider starring ⭐ the repository.
Abdul Rehman
Security Engineering • Human Risk • Security Culture • Training & Governance Automation
