Developed by: SINTEF

Human and Organizational Risk Models


Human and Organizational Risk Models (HORM) is a formal language for specification and visualisation of customer journeys and service processes.

CJML is centred around humans and human activities, regardless of their role being a customer,  employee, user, or patient (as depicted in the Figure below).

Examples of customers

Human and Organizational Risk Models differs from other diagrammatic languages in two principal ways:

  1. It models the service process from the user’s point of view
  2. It aims at being intuitive for all users, and does not require a technical background

HORM consists of terminology, diagrams, methods and tools. The basic concepts of the language are customer journeys and touchpoints. (see Figure below)

Customer journey and touchpoints

HORM is well suited for detailed and unambiguous modelling of user journeys and service processes that extends over time, being mediated by different communication channels.

Human and Organizational Risk Models addresses the detailed interactions between

  • a user and one or more service providers
  • or a network of users and service providers (C2C, B2C, B2B2C etc)

Human and Organizational Risk Models describes service processes in two states :

  1. The hypothetical state (planned journey)
  2. In a real context in a real context (actual journey).

Figure below shows an example of those two states.

Example of a journey

HORM consists of terminology, diagrams, methods and tools. The basic concepts of the language are customer journeys and touchpoints.

At present, Human and Organizational Risk Models is available as

  • MS office templates
  • stencils (Visio and OmniGraffle)
  • graphical elements in bitmap format (png) or vector format (svg)

The aim is to develop a software tool for visualization and validation of CJML models


The Human and Organizational Risk Models (HORM) is used to model and visualise human behaviour and work processes in terms of user journeys, i.e., it is centred around the human activities and interactions throughout a process. A HORM model shows the actor’ steps (in terms of actions and communications) throughout the process. The models are used to illustrate hypothetical or real situations, for example best practices, but can also represent previous cyber attacks or situations to avoid.

This tool will be used to address human- and organisational aspects and more generally to contribute to increase awareness of cybersecurity risks, vulnerabilities and attacks. The Figure below shows a high-level overview of the various components, which will be continuously improved in regular updates. The catalogue of scenarios consists of generic models and SME-specific models relating to the validation scenarios. In its current form, HORM consists of an initial collection of cybersecurity scenarios, templates (Microsoft PowerPoint and stencils in Microsoft Visio) and the graphical elements (bitmap and vector format).

Component architecture – tools for Human and Organizational Risk Models (dotted lines represent future elements)

Throughout the project, HORM will make use of various diagram types that serve different purposes. As an example, the journey diagram may be used to emphasize a deviation from best practices or vulnerability associated with a certain user (employee) behaviour.

HORM aims at a broad user group in the SMEs to set the focus on the human element and errors made by employees. A module for training will be provided, in the form of workshops with the SME partners. Furthermore, an online module for training of new users will also be developed.

Currently, we develop software stencils in an open-source format to support diagramming with HORM, but we also consider developing a HTML5-based software tool for visualisation and validation of models.