User risk management watches where people can’t. If you polled a random sampling of employees at various organizations, most would probably consider themselves security-minded. They would argue that they are not actively sending sensitive data to malicious recipients, clicking strange links or downloading attachments from unknown senders.
This mindset is a good attribute, and should not be downplayed. However, those same employees may be putting companies at risk by accessing company data on a personal device running an outdated version of an operating system while connected to the public Wi-Fi. They may also have installed risky applications, repeatedly attempted to visit blocked sites on the corporate browser or attempted to log in from multiple unexpected locations.