Search
Free Trial

Hongke's latest articles

HongKe

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

[Hongke Solutions] From Passive Defense to Proactive Prevention: Easily Handle Annual Risk Assessments and Security Audits with KnowBe4

01. Introduction: Hong Kong’s “Protection of Critical Infrastructure (Computer Systems) Ordinance” Is Coming Soon

As 2026 begins, many CISOs and risk managers are facing the same headache: Sections 24 and 25 of the Critical Infrastructure (Computer Systems) Protection Ordinance require that computer system security assessments be conducted annually.Risk Assessment, have a safety check every two yearsReview...and a complete report must be submitted within the specified timeframe.
 
Sounds familiar, right? But in reality, these two requirements carry much more weight than you might think.
Article 24 does not simply call for “assessing whether there are any vulnerabilities”; rather, it requires you to systematically identify, analyze, and document threats and risks, and to monitor them on an ongoing basis. Article 25 further requires you to arrange forIndependent AuditorVerify whether your security management plan is actually in place and whether the controls are effective. In other words, you need to be able to demonstrateEvidence—Not speculation, not “I don’t think the risk is that high,” but solid, traceable, and verifiable data.
 
Most companies follow this approach: scan for vulnerabilities, write a report, submit it to the regulatory authorities, and call it a day. But this “check-the-box” style of assessment has a fatal flaw—It often overlooks the most difficult-to-quantify—yet most deadly—source of risk: employee behavior.The
The statistics are stark: more than 80% of cybersecurity incidents involve human factors—ranging from phishing emails and password reuse to the inadvertent sharing of sensitive data. Yet in many companies’ annual risk assessments, this area is completely overlooked. You’ll see “Technical Risk Rating: High,” but you won’t see “Employee Security Awareness Risk: Not Assessed.”
That’s why KnowBe4 is becoming a must-have for more and more companies on their journey toward compliance with Sections 24 and 25—it helps you transform “human risk” from an invisible, intangible black box intoA system that is measurable, improvable, and auditableThe

02. Core Value 1: Risk Assessment Becomes “Real”—Quantify Human-Induced Risks; Stop Relying on Guesswork

Blind Spots in Traditional Assessment

Traditional risk assessments typically ask:
  • Is there a firewall?
  • Has the system been patched?
  • Are backups performed regularly?
All of these are important, but they only address “technical risks.” They completely fail to address one critical question:How easily can your employees be deceived?
According to industry research, this figure typically ranges from 20 to 40%—meaning that roughly 1/5 to 2/5 of the people in your company will click on a phishing email. This is not a small number; it is aSignificant Risk GapThe
But the problem is that traditional assessment methods simply can’t accurately quantify this gap. If you ask employees, “Do you think you can spot a phishing email?” 99% of them will answer, “Sure, I’m very careful.” Then, when you actually send them a phishing email, half of them fall for it.

KnowBe4's Solution: Baseline Testing + Dynamic Scoring

KnowBe4 takes the most direct approach—Practical Application—To establish a baseline for assessing “human-induced risks”:
1. Initial Phishing Security Test
Before the formal risk assessment under Section 24 begins, KnowBe4 will send a wave of carefully designed simulated phishing emails to all employees company-wide. These emails are not random; they are crafted based on social engineering tactics commonly used in your industry—such as fake payment notifications, fake package delivery reminders, and fake requests for authorization from a boss.
 
Once the test is complete, you'll receive a clear report:
  • Company-wide Vulnerability to Phishing Attacks(Phish-prone Percentage): For example, 28%
  • Risk Distribution by Department: HR Department 15%, Finance Department 35%, IT Department 8%
  • Risk Distribution by Rank: General Employees 30%, Mid-level Managers 18%, Senior Executives 5%
This data corresponds to the “Probability of Human-Caused Threats” column in your risk assessment report.Firsthand evidence. And the key point is—this is real behavioral data, not survey data, so it’s far more persuasive.
2. Continuous Dynamic Risk Scoring
A single test does not constitute an assessment; only continuous monitoring constitutes management. KnowBe4’s intelligent risk scoring engine dynamically calculates a risk score for each employee based on the following indicators:
 
  • Did you click on the phishing email?
  • Have you completed the safety training course?
  • Has there been any improvement in performance during testing?
  • Should you proactively report suspicious emails?
Based on these factors, the system generates a visual “Employee Risk Distribution Chart”—you can clearly see how many people have moved from “high risk” to “medium risk” and then to “low risk.” This isThe best evidence of the trend toward risk reductionThe
For risk assessment reports, this means that you are not simply submitting a “snapshot of last year’s risks,” but rather demonstrating “how our risk management is continuously improving”—which is precisely the “continuous monitoring” required by Clause 24.

III. Core Value 2: Auditing with Confidence—Proving Through Practical Testing That Controls Are Actually Working

What Will the Auditor Ask?

The audit required by Article 25 of the CISO is not simply a “checklist.” Third-party auditors will ask in-depth questions:
  • You said the employees received safety training, so how come...Proof
  • You say there are risk control mechanisms in place—are these controls actually working?
  • Has the effectiveness of these controls been continuously verified over the past year?
Traditional companies usually respond, “Sure, we send out a PDF version of the *Employee Safety Manual* every year and have everyone sign to confirm receipt.”
Upon hearing this, the auditor frowned: “Signing to confirm does not mean the employee actually understands the content, nor does it mean the employee has changed their behavior.”
This is the challenge of the review process—you need to demonstrate not just “what was done,” but “what the results were.”

KnowBe4's Approach: Turning Testing into an Ongoing "Control Verification" Activity

In the eyes of auditors, what is KnowBe4’s strongest selling point? It’s not the number of training courses, but ratherA comprehensive, historically verifiable, and continuously updated set of “field-tested records”The
 
1. Standardized social engineering testing = “control testing” for audits
Article 25 of the CISO requires that security audits must include “verification of the effective operation of the security management plan.” What does “effective operation” mean? One of the most straightforward ways to assess this is through regular, realistic attack simulations.
 
KnowBe4’s approach is simple: it sends employees a round of phishing simulations every week or month. These simulations cover:
 
  • Common Banking & Financial Scam Emails
  • Procurement Fraud Involving Fake Suppliers
  • Authorization Request from an Impostor Claiming to Be the CEO
  • Fake Delivery / Shipping Confirmation Notifications
Each round of testing is recorded, and auditors can view:
  • Test Duration, Content, and Target Audience
  • How many people clicked on it, how many reported it, and how many fell for it and then underwent retraining?
  • Has the click-through rate improved between the two tests?
This isn't just "data"; it's"Real-Time Thermometer for Monitoring Effectiveness". Auditors will notice that it’s not just about saying, “We have a safety awareness program,” but rather demonstrating that “We conduct monthly practical tests of our employees’ defensive capabilities and adjust our training strategies based on the results.” These are two entirely different levels of persuasiveness.
2. Traceable Chain of Evidence
Article 25 of the CISO requires you to submit “written records” documenting how the audit was conducted. KnowBe4 can automatically generate audit-level reports that include:
 
  • Test Specifications: Specific parameters for each fishing test (send time, content, target audience, results data)
  • Risk Improvement Trend Chart: Use charts to illustrate the trend in improvements in employee safety awareness (typically a downward-sloping “good news” curve)
  • Department Benchmarking Table: Comparison of Risk Scores Across Departments
  • Personal Learning Record: Who completed which training, passed which tests, and achieved how much improvement
When auditors review this set of materials, they will think, “This company takes a very systematic approach to managing human-related risks; it’s not just a reactive effort.”

IV. Core Value 3: Simplified Reporting—Export Regulatory-Grade Documents with a Single Click

The Truth About the Cost of Time

According to feedback from many companies, the most time-consuming part of annual risk assessments and biennial audits is often not the technical work of “conducting the assessment,” but rather"Finding data, organizing data, and putting together reports"administrative work. A compliance assessment report typically requires reviewing multiple departments and systems to piece together a complete picture, a process that often takes 4 to 8 weeks.
KnowBe4 can reduce this time to just a few days.

KnowBe4's Built-in Reporting System

The platform includes over 60 built-in report templates, including:
 
  • Management Dashboard: The CEO and the Risk Committee can see at a glance the company’s overall security posture, key risk metrics, and improvement trends
  • Detailed Risk Assessment Report: May be submitted directly as the “Human-Induced Risks” section of the report under Article 24
  • Audit Readiness Report: By organizing your operations according to standards such as ISO 27001 and NIST, third-party auditors will immediately see which requirements you meet.
  • Department/Functional Analysis Report: Help managers from different departments understand where their departments' security vulnerabilities lie
All reports are availableExport to PDF or Excel with a single click...which you can embed directly into your evaluation document, eliminating the need for manual conversion.

The Legal Shield of “Having Done Everything Reasonably Possible”

Article 66 of the CISO mentions the concept of “due diligence,” which means that even if you do suffer a cyberattack, your liability will be significantly reduced as long as you can prove that you did everything in your power to defend against it.
 
This documentation system developed by KnowBe4 is your best legal defense to demonstrate that you have “exercised due diligence.” Because you can prove that:
  • We regularly assess human-related risks
  • We continue to conduct social engineering tests
  • We continuously optimize our training based on the test results.
  • We have a comprehensive record of improvements
This body of evidence can help you significantly reduce your liability in a subsequent review or even in legal proceedings.

Action Checklist: Three Steps to Start Today

If you’re a risk or technology manager who’s swamped with annual assessments and upcoming audits, consider these three steps:
Step 1: Baseline Assessment (to be completed this month) Schedule a free KnowBe4 demo to conduct a company-wide phishing baseline test. Spend just 30 minutes on deployment to get a clear snapshot of your organization’s human risk profile.
Step 2: Restructuring of the Assessment Report (to begin next month) Incorporate the baseline data into your annual risk assessment report, particularly in the “Threat Identification” and “Effectiveness of Existing Controls” sections.
Step 3: Ready for Review (Ongoing) Establish a monthly phishing test and training program so that when third-party auditors review it, they see aA dynamic, continuously validated security management plan, rather than a static, outdated document.

IV. CONCLUSION

Articles 24 and 25 of the CISO are not intended to increase your workload, but rather to urge you to:Shifting Safety Management from a “Reactive” to a “Systematic” ApproachThe
 
What is KnowBe4’s core contribution? It’s helping you establish a repeatable, verifiable, and improvable management system for the “human risk” dimension—the one that’s most easily overlooked. That way, when regulators or auditors ask, “How do you ensure your employees won’t become your biggest weakness?” you’ll have data, stories, and trend charts to back up your answer—rather than just saying, “We take this very seriously.”
👉 Take Action Now: Schedule a KnowBe4 assessment demo to complete a company-wide phishing baseline test in 30 minutes. Identify your human risk areas today and allow ample time for improvement ahead of next year’s assessments and audits.
Go toKnowBe4Product Page

Other Articles
Hongke Case

HongKe Solutions] Observability Budget Busting: How Redis + Grafana Saved Hong Kong Banks $1.4 Million in 2 Years?

Hong Kong Bank, troubled by the high license cost of Dynatrace, adopted Redis+Grafana to build an open source observable architecture in accordance with the TM-E-1 regulatory standards of the Hong Kong Monetary Authority. By adopting a hierarchical strategy of APM for the core system and metrics monitoring for the rest of the services, the bank maintains 70% of the monitoring performance, saving US$1.4 million in monitoring expenses over two years, and the report data can also satisfy the monitoring requirements.

Read more
HongKeTechnology June 5, 2026
close menu icon

Contact Hongke to help you solve your problems.

Let's have a chat