User Risk in Cybersecurity: Exploring the Primary Driver of Modern Breaches

Kaila: Hello, hello. Thank you all so much for being here today. Thank you to Margarita and to Upasana for joining us.

Today we are going to dive into user risk in 2026 — how it has evolved over the last ten years or so, how we define it now, and how we can best prepare our users to defend both themselves and their organizations.

We have Margarita Rivera here, the global CISO at Carnival Corporation and a member of the Dune Security CISO Advisory Board. We also have Upasana Tripathi, director and head of GRC at Verily, and a member of the Dune Cyber Risk and Awareness Council. Both are really integral parts of our community here at Dune and have helped shape how we have built the company and how we continue to serve the user risk community and the security leaders protecting the organizations we all care about.

Before we get started, I am going to hand it over to Margarita and Upasana to share a quick intro — a little background, something you find interesting about your work, and what brings you to this conversation today.

Margarita, I will hand it over to you first.

Margarita Rivera: Thanks so much for having me. It is an absolute pleasure to join this conversation around human risk.

My name is Margarita Rivera. I am the global CISO for Carnival Corporation. I have been here close to two years now, and I have been in the industry for a little over two decades, primarily focused on Fortune 100 and Fortune 50 companies across many different industries. I have seen the full transition from what was once called security awareness training to what is now coined human risk management. I am really excited to dive into the nuts and bolts of this, look at how organizations are facing these challenges today, and hopefully help everyone walk away with some new strategies and ideas. Thanks for having me.

Upasana Tripathi: Thank you, Margarita. I am really happy to be here. It is Women's Month, so it is wonderful to see this all-women panel.

I am Upasana Tripathi, director and head of GRC at Verily. Verily is an Alphabet company — a life sciences organization operating in a highly regulated environment. I have been here for about four years, and prior to this I spent many years in consulting, working with Fortune 500 and Fortune 10 companies across cybersecurity. It has been really interesting to see how human risk has evolved, especially now that we are living in such interesting times. I am looking forward to this conversation.

Kaila: Amazing, thank you both. And as you mentioned, it is Women's Month — we consistently have some of our best conversations with women in the security community. You are both such strong leaders in this space, so I think this is going to be a great discussion.

Before we get into how we can best prepare for user risk incidents this year, we need to define what user risk actually means. We have seen a real evolution in that definition over the last five to ten years. What used to mean phishing clicks and security awareness training has grown into a full layer of cybersecurity that looks at a myriad of social engineering vectors and crosses over into the insider threat space as well.

Margarita, can you speak to how you would define user risk today and what has changed in recent years?

Margarita Rivera: Sure. I think you gave a great introduction. It is no longer about whether someone clicked on a phishing link. It is really about the intersection of identity, access, and behavior, and how that intersection can materially impact an organization. It is not just did someone click, but once they clicked, what happened next? What behavior was driven? What access did they have? What were they able to do?

When we look at human risk, we have to recognize that the human element is the weakest link in the chain and one of the most unpredictable. The question becomes: how do we evaluate a person's identity, access, and behavior in order to make strategic decisions about how we best secure our environment?

Kaila: I love that. You touched on a lot of key points — how analytics are being drawn into this more, how we can take a data-centric approach versus the more qualitative approach we might have taken previously. Upasana, is there anything you would add to that definition of user risk?

Upasana Tripathi: I think it would be a miss not to talk about AI. When we say users, what do we actually mean? Users are no longer just humans. We have AI agents being introduced into environments, and they carry the same risk as human users — maybe even more. One reason for that is that AI agents are generally both highly privileged and highly capable. A human user may have a certain level of access or privilege without even knowing about it, but an AI agent can figure out what it has access to and act on it within hours.

So when we talk about user risk today, we really have to define who the user is. Non-human identities — including service accounts — need to be part of that conversation.

Margarita Rivera: You are so right, and I think we are going to see a real transition here. Where everything started with security awareness training, then evolved into human risk management, I see the next evolution being driven by AI and non-human identities. It really does come back to identity at its core.

Kaila: You both raised something we have been thinking about a lot — how do you define a user, and how do you factor that into your existing user population? There is the human user, and now there is the agentic AI user. There are a lot of open questions: do you assess a user's risk based on which AI tools they own? Is that risk split across multiple owners? What governance, risk, and compliance considerations do we need to factor into policy to protect the organization?

These are questions we think about often, and it will be interesting to see how behavioral risk scoring evolves as we begin monitoring more of those agentic behaviors over time.

Switching gears slightly — you both come from very different organizations. Carnival is a cruise line, but there is so much that goes into that: shoreside workers, people managing ports, people aboard the ships, everyone using different devices with different communication patterns. And Verily operates in health tech, with the distinct complexity of clinical workers alongside tech workers.

Margarita, starting with you, how do you approach the difference in user risk between someone who is sitting at a computer all day versus someone in a completely different operational role?

Margarita Rivera: It is definitely not one size fits all. When I first started in cybersecurity, it was one size fits all — pretty binary. As the industry has evolved, it has become clear that risk varies significantly based on role.

In the world of cruising, especially with so many different cruise lines under the Carnival Corporation umbrella, there are just so many different ways to look at this. Someone working shoreside is not the same as someone working aboard one of our vessels. And our ships are essentially floating cities — there are all kinds of things happening on board. You may have someone who never touches an email inbox but is operating our propulsion system or navigating the vessel using navigation systems.

As we embed controls from a user perspective, they have to be risk-based. Not everyone is created equal, and not all access is created equal — just as we apply the principle of least privilege when granting access. We look across all the people in the organization, determine who is highest risk, and ask: what do they need, how do we train them, how do we protect them, and what controls do we put in place to protect the most important assets?

The integration of security into workflows has to be seamless. It cannot slow things down or create friction. It has to be lightweight and easy so that people can continue operating effectively in the most secure way possible.

Upasana Tripathi: I completely agree. Exposure is not evenly distributed, and not all users carry the same risk. It is really important to identify who your risky users are and provide them with appropriate preventative and detective controls to limit exposure.

In a regulated environment like ours, that becomes even more critical — it is not just about keeping the environment secure, it is also about meeting compliance obligations. You have to understand which users can have the biggest compliance impact.

But fundamentally, what Margarita described applies across industries. Risk exposure is a combination of what access a user has, how deep their privileges go, and what type of behavior and environment they operate in. A remote user carries significantly different risk than someone who comes into the office every day and logs in from one machine. Being able to identify and score that — and when I say score, I do not necessarily mean a numerical score, but being able to identify who is at higher risk than others — is really important.

Kaila: I love that point. It reinforces what you both said: this cannot be one size fits all anymore. The old approach was to send out campaigns and training, make sure everyone checked off policies, and call it compliant. The landscape is very different now.

The responsible approach today is to identify your areas of highest risk, focus the majority of your time and resources there, make sure your lower-risk users are covered, and direct your energy toward the groups showing the biggest potential for breach or incident. Both of you come at this from different angles — Upasana from GRC, Margarita from the CISO seat. How do you set up your organizations and your teams to accurately identify those high-risk groups and then have the right resources to remediate that risk?

Margarita Rivera: I do not think Upasana and I are going to be very far apart on our approach here. Regardless of industry, you are going to have groups that are inherently higher risk because of what they do and the role they sit in — people on the IT side, in development, in HR, in finance. These are core groups within every organization that are automatically at higher risk simply by virtue of their function.

It ultimately comes down to access. How much access do they have to the most critical information? Understanding what your crown jewels are is what helps you identify who is at highest risk. Some people in your organization may not be particularly risky because of what they do day to day. Others — because of their visibility, their role, and their access — are going to be primary targets regardless of what industry you are in. From there, you get more granular within your specific organizational context. But at its core, it has always been about access, systems, and a risk analysis of which groups create the most exposure.

Upasana Tripathi: Totally agree. Identify your crown jewels, identify what is critical to your organization — that can differ between organizations, but the process remains the same. Identify the people who have access to those assets, identify the lateral movement risk, and protect for it. It sounds straightforward, but when you are actually living it, it is not easy.

Kaila: Thank you both. That is really helpful. I want to touch on what the response looks like when things go wrong. We have talked a lot about being proactive — but what about when we have to be reactive?

Let us focus on the user risk side. The issue was caused by a user, whether malicious, careless, or unaware. Walk me through what the first 24 to 48 hours looks like. What are the most important things you can do to address the incident at hand?

Margarita Rivera: There are a lot of assumptions embedded in this, but generally speaking, if we are dealing with a user-driven incident, one of the first things we want to do is isolate that identity. We want to invalidate any active tokens, suspend privileged access, and check for lateral movement. We want to quantify what data was accessed by going into our observability tools and understanding what that user touched and what it connects to.

Throughout those first 24 hours, we also need to notify legal and executive leadership and make sure everyone is apprised of the situation. The speed of identity containment is really what separates an incident from a crisis. Being able to identify who is impacted, understand the blast radius, isolate the affected identity, check for lateral movement, and hone in on the specifics — all of that is part of those first 24 hours.

Upasana Tripathi: I agree, and I think it applies across incident types regardless of how it happened. The first step is to stop the bleeding — contain the incident so it does not spread beyond what you can control.

Once it is contained, you need to understand the impact. In a regulated environment, that means identifying your notification obligations — who you are required to notify, on what timeline, and through what process. Sometimes that window is just a couple of hours. It is not purely a technical process at that point; it involves working with legal, privacy, and your customers, who may have very strict contractual requirements. So stop the bleeding, identify the impact, understand your obligations, and then go back and solve for why it happened.

Kaila: Great. Now let us look at a more specific scenario. Say an employee shares sensitive financial information with a malicious threat actor over WhatsApp — something that was not previously on your radar and that you did not have existing visibility into. It is discovered, it is documented as an incident. When you think about the long-term response: are you bringing this to the board? Are you educating the wider user group so they know how to prevent similar attacks in the future? Are you changing policy around how information can be shared? What are the key components of long-term change following an incident like that?

Upasana Tripathi: If it is something new, that is a signal that you probably did not have a control for it. A control can be implemented through policy, through technology, or through another mechanism — but the key point is that the incident gives you the opportunity to identify that gap and address it across the board, not just in one system. An incident retrospective is a real opportunity to strengthen your posture for the future. Performing that retro is so important because it helps you identify the root cause, and then that root cause gets translated into an organization-wide fix so it does not happen again.

Margarita Rivera: I completely agree. There is nothing more powerful than the lessons learned from going through difficult situations. If it is a new vector, there is tremendous opportunity to learn, to communicate upward, and to use that experience to change how we educate users and influence behavior. Never let a crisis go to waste. Even though it may be very uncomfortable to go through in the moment, there is always something to learn, something to implement, and something to leverage to help strengthen the organization. Every situation we go through — from the most minor to the most complex — teaches us something new.

Kaila: Never let a crisis go to waste — I love that. I am going to put that up in the office.

Now I want to think about what the biggest risks leading to an incident look like this year. Focusing on user risk and social engineering — we have a lot happening: AI-powered spear phishing that is growing more advanced, new vectors becoming more prominent including SMS, encrypted channels like WhatsApp, Signal, and Telegram, collaboration platforms like Slack and Teams, social media, and deepfakes over both voice and video.

That is a lot to manage. Which of these vectors are you most focused on from a testing and preparedness standpoint?

Upasana Tripathi: If you look at the evolution of how things are changing, early phishing attacks were mass distribution — generic, coming from obvious domains, targeting everyone the same way. That has fundamentally changed. Attacks are now highly personalized and context-aware. Attackers will look at your LinkedIn profile, figure out your role, your company news, and craft a targeted attack that feels completely real. And that can come through any channel — SMS, Slack, email, and deepfakes make it even harder to tell what is legitimate business communication versus an attack.

We are also seeing real-time attacks targeting hiring pipelines — fake profiles applying for jobs and making it through entire interview processes using real-time AI and deepfake technology. The way to tackle this is to build layered verification into your processes. Educating users is critical, but because it is getting harder to tell attacks from legitimate interactions, controls need to be layered. Least privilege is essential — and not just assigning someone a role because they work in finance, but restricting what that role can actually do so that when an account is compromised, the exposure is limited.

Margarita Rivera: I completely agree. I do not think the nature of the attacks has changed as much as the velocity has. AI is accelerating everything and making it much harder for security practitioners to keep up because things are shifting so quickly. At the same time, we have the same opportunity to leverage AI and other tools to secure our environments.

What I would caution against is getting so caught up in the hype cycle that we forget about the fundamentals. Identity continues to be critically important. Observability continues to be critically important. That is how we stay ahead and are actually able to detect and respond when situations arise. We have to be able to detect and respond faster than ever, because velocity is what we are working against.

Kaila: I love that both of you touched on agentic AI and how these tools open up new risk — both from the social engineering standpoint and from a general access and permissions perspective. Here is a challenge I hear from a lot of security leaders: you do not want to be the department of no. You do not want to be the person or team that is seen as blocking business growth because you are saying no to every new tool or technology.

How do you create a culture where security is the department of how, not the department of no, as technology continues to evolve rapidly?

Margarita Rivera: Honestly, that has been my platform for the last 20 years. I have never had the mentality of no. It has always been yes, and — how do we help our organization move as quickly as possible while being as safe as possible? We are in the business of creating guardrails so the business can move and innovate. And we also leverage that innovation to improve how we do security.

Going back to the topic of observability — really being able to see what is happening in the environment, educating people about the actual risks, and giving them clear guidance: here is what you can do, here is what you should not do, and here is why. I always make those parallels personal, because people care about their own information just as much as they care about company data. If you would not put company financials into a public AI tool, you should not put your own personal information in there either.

The goal is to make security part of the culture, part of the day to day, so that people understand the real risks. As security practitioners, our role is to illuminate that risk so people can make educated decisions. And when they do not make those educated decisions, we need guardrails to protect them from themselves. I always compare it to Formula One racing — I give them the seatbelts, I give them the safety structures, I give them the environment where they can move fast. But if they deviate from what they are supposed to do, that safety is built in.

Upasana Tripathi: So well said. People are going to use these tools whether security says yes or no. The only way to do this right is to provide an environment where they can be used safely — and by safely, I acknowledge we are still figuring out exactly what that means because the risks continue to evolve.

A few practical things that help: provide enterprise-approved tools where the legal review on contracts has been done and your data is not being used to train external models. Start with some skepticism — always have a human in the loop, start with a sandbox environment before pushing anything to production. And if a non-technical team wants to use a new AI tool, consider having a security engineer spend a few hours working alongside them rather than spending days reviewing it in isolation. That way the team gets to move fast and the security engineer ensures it is done safely.

Monitoring what is happening after deployment is equally important — having technology that can give you signals about whether data is leaving the organization or unexpected behaviors are occurring. And throughout all of it, limiting access. Granular, just-in-time access that is ephemeral rather than static, especially for higher-risk users, so that when something does go wrong, the blast radius is as small as possible.

Kaila: We talk about blast radius a lot here at Dune — thinking about the potential impact of actions and using that to inform decisions. I love that framing.

Something you both touched on that I think is really important is the open line of communication between security and the rest of the business. Once people assume they are not going to get a helpful answer from the security team, they stop asking — unless they absolutely have to. Being able to maintain that open relationship changes everything. Here at Dune, even as a startup, we have a direct line to our CTO, our VP of engineering, and our full security engineering team. When we want to try a new tool or process, we bring it to them — can you review this tool stack, can you review these processes, can we make sure we are setting it up correctly? That relationship matters enormously.

Before we wrap up, I want to leave everyone with something practical. If you had to give one key piece of advice to security leaders looking to protect their organizations today — from smaller companies to large enterprises — what would it be?

Margarita Rivera: A couple of things. First: it is not anymore about who clicks, it is about who can truly act. Think beyond the click. And second: do not forget your foundational components. Security is defense in depth. Do not get caught up in the hype cycle and forget the basics — patching, vulnerability management, identity, visibility into your environment. Those fundamentals are what will sustain you as you navigate a lot of uncertainty.

Upasana Tripathi: Two things for me as well. First, get granular with access control. Just-in-time, ephemeral access instead of static privileges for higher-risk users. Least privilege means not just assigning a role, but restricting that role to only what is needed for a specific action, so that if an account is compromised, the exposure is limited.

Second, implement behavioral monitoring alongside positive guidance. There are two sides to this: monitoring behavior to detect risk, and providing real-time nudges when users are about to do something risky. If someone is about to send a sensitive attachment over email, a well-timed prompt asking if they really want to do that can make a real difference. Guide user behavior toward safer actions.

Kaila: We are as strong as our controls, and the more we can use the information we gather to protect users — starting with least privilege access and expanding based on demonstrated good behavior and good outcomes — the better positioned we will be.

Thank you both so much. You are both amazing, and I knew this was going to be a great conversation. I am really grateful to have you both here and to have you as part of the Dune community. I know you are both very busy, so thank you for your time today.

Margarita Rivera: My pleasure. Thank you.

Kaila: Thank you both. Have a great day and thank you to everyone who joined today. Our next webinar is on March 20th, and we will be diving deeper into the space of agentic AI risk — specifically looking at how these tools can be governed and regulated. We have Shelby Tallent joining us, who has built her own AI GRC department at Alaska Airlines for exactly this purpose. It is going to be a great session.

Thank you everyone. Have a great day.