Beyond awareness: Human risk management is the new cybersecurity frontier
In this article, I will introduce the concept of human risk management (HRM), explore its implications, and discuss what may follow in the cybersecurity industry. I want to begin by emphasizing that every trusted source reports that more than half of all data breaches result from some form of social engineering attack. These attacks specifically target human nature — our tendency to trust, our desire to belong and our fear of exclusion.
Unfortunately, this trend is not decreasing. Because of this and several other factors, security awareness training is reaching a plateau for some organizations. We need an innovative approach for those organizations to continue minimizing the impact of human risk.
What is human risk management?
Human risk management offers a promising solution to the limitations of traditional security awareness. Its potential extends far beyond just improving risk assessments and training effectiveness. The true power of human risk management lies in its ability to fundamentally transform how organizations approach cybersecurity from a human-centric perspective. By breaking down long-standing barriers between technical security operations and awareness programs, we can pave the way for a more integrated, responsive and effective security ecosystem.
Strengthen security awareness with human risk management
Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization.
Human risk management is a natural evolution of established security awareness training programs. To illustrate its importance, let me share a recent experience with a penetration testing client. This client, despite using a popular security awareness training product, performed poorly during our extensive social engineering and phishing campaign. When we investigated, we found a startling discrepancy: the critical targets we successfully phished had scored exceptionally well on their training simulations, assessments and education modules.
Intrigued, we delved deeper, examining their Security Information and Event Management (SIEM) dashboards and endpoint security data collected from the appropriate teams. The findings were eye-opening. The last five data breaches or successful real-world phishing attacks were primarily attributed to just three individuals: an executive, a senior HR manager and an IT director. Ironically, these same individuals had some of the lowest risk scores, according to the company's training.
The importance of real-world data
This case highlights a crucial issue: an individual's or company's performance in simulated scenarios may not accurately reflect their behavior in real-world situations — and not account for all the risky things a user might do in their daily activities. For instance, we discovered that the IT director frequently visited dark web sites to educate himself on emerging threats, inadvertently compromising his computer. This vital information was only available through the company's network security appliances.
The essence of human risk management lies in its ability to create a more comprehensive and accurate risk assessment and score by integrating real-time data from various sources such as SIEM, endpoint security solutions and network security appliances. By considering actual user behavior and system interactions, human risk management provides a more nuanced and realistic view of human-related security risks, enabling organizations to better protect their most vulnerable assets: their people.
This, paired with the integrations to popular collaboration and messaging platforms such as Microsoft Teams, Slack and others, allows for real-time training and “nudging” based on each user's real-world behavior and risk factors.
Human risk management applicability and value
Human risk management represents a significant evolution in organizational security strategy, addressing several longstanding issues. To understand its importance, we need to consider the following key points:
1. Untapped critical data sources
The impact of security awareness training is limited when it's disconnected from organizational data. Security teams possess a unique and valuable perspective on organizational behavior and risk, gleaned from data that other departments lack access to. Yet, this insight has remained untapped in conventional awareness approaches. Human risk management is a change in thinking that bridges this gap by creating mechanisms to leverage security teams' distinctive knowledge.
This approach transforms cybersecurity strategies by enabling personalized risk profiles, real-time adaptive learning and predictive analytics, all based on actual user behavior and security data. This not only addresses the shortcomings of one-size-fits-all awareness programs, but also promises measurable risk reduction and integration with existing security infrastructure.
2. The HR and compliance paradigm
Security awareness has traditionally focused on governance, risk and compliance, which makes sense given its organization-wide scope. However, as we shift to a world where actual behavior change is becoming critical, that focus is not enough. To do this more impactfully, we need to involve the wealth of knowledge held by security teams and security org data stores more directly in how we assess and steer end-user security.
While it would be ideal to have security teams directly involved in employee communications around security awareness, they are often too overwhelmed with their primary responsibilities. Additionally, they may lack the communication vehicles required to convert complex technical information into security awareness lessons for a general audience. This is where human risk management solution’s ability to ingest log, behavior and other critical data from across the security enterprise allows it to become most consequential and impactful.
3. The communication gap
HR teams often lack the technical expertise to incorporate security stack information into awareness programs. On the other side, security teams possess a wealth of unique knowledge and insights but often lack the time or resources to translate this complex information into formats easily consumable by traditional security awareness and training solutions. This gap between deep, technical understanding and practical, user-friendly training content often results in missed opportunities to enhance an organization's overall security posture.
4. The ideal scenario
Imagine if security awareness training could be informed by real-time input from cybersecurity team members, tailoring messages for everyone based on those individuals' actual work behavior. While this approach has clear advantages, it also risks introducing personal bias or unfair targeting if we had the security professionals doing this in real-time. It would also not be scalable. But what if we could automate this and take the human element out of it? Thanks to advances in artificial intelligence (AI) and other technology, this is now possible.
5. The human risk management solution
Human risk management bridges this gap and gets us close to the ideal scenario by automating the process. It integrates data from various security systems to create a more accurate risk assessment for everyone, minimizing the potential for human bias. This programmatic approach helps to ensure fairness and consistency.
6. The role of AI
As machine learning and AI (particularly prescriptive and generative AI) continue to advance, the effectiveness of human risk management solutions will only improve. These technologies will enhance the ability to analyze complex data and generate personalized, relevant security guidance.
Phishing simulations & training
Let's delve deeper into how human risk management is set to transform organizational security strategies and culture.
Breaking down barriers
For years, a disconnect has existed between the teams responsible for an organization's technical security operations and those managing security awareness programs. This divide may result in awareness training that, while well-intentioned, fails to address the most pressing and current threats faced by the organization. For example, we may watch awareness videos about not clicking on attachments in emails from folks we do not know while we are currently being targeted by a zero-click attack that does not require clicking or downloading at all.
Can you imagine the pain of a security professional working incident response on a breach due to a zero-click attack having to watch a slightly outdated awareness video that says you are “good” if you do not click on anything in malicious emails or text messages? They just spent an entire weekend recovering the company from an attack that proved that the advice in the awareness video is no longer 100% effective.
Note: For learning purposes, a zero-click attack can lead to your phone or computer being completely taken over from simply reading an email or text message. No requirement to download or “click” on anything in the message for the exploit to work. They have been successfully and stealthily attacking iPhones and Androids since 2011 and really became public around 2019. There was massive public awareness around it in 2021 when Citizen Labs released a devastating and thorough report about the tool. Read up on Pegasus spyware if you want to go down that rabbit hole.
But for now, let us list some of the things we get because of breaking down these barriers.
Real-time risk assessment
Human risk management systems continuously collect and analyze data from security tools such as SIEM, endpoint detection and response (EDR), and network security appliances. This real-time data provides insights into user behavior, system interactions and emerging threats. By incorporating this information into awareness programs, organizations can ensure that risk metrics, risk management, and awareness content remain relevant and responsive to the current threat landscape.
Personalized learning paths and awareness campaigns
With access to individual user behavior data, human risk management can tailor our remediations, risk scoring and training to each employee's specific risk profile. For instance, an employee who frequently accesses sensitive data might receive more intensive training on data handling protocols, while someone who travels often for work could get additional focus on secure remote access practices.
Adaptive content delivery
As human risk management systems detect new threats or vulnerabilities within the organization, they can trigger immediate, targeted awareness campaigns. This could mean pushing out quick, focused training modules or alerts to relevant employees, ensuring the workforce is always updated on the latest security concerns.
Behavioral analytics and intervention
By analyzing patterns in user behavior, human risk management can identify potential security risks before they manifest into actual incidents. This proactive approach allows for timely interventions, ranging from additional training to adjustments in system access privileges. This capability is the first gateway to Adaptive Security, an eventual goal of human risk management.
Measurable impact
With human risk management, the effectiveness of security awareness programs becomes more quantifiable. Organizations can track how changes in user behavior correlate with reduced security incidents, providing concrete evidence of the program's impact and areas for improvement. For example, I have seen organizations' risk scores improve significantly per their security awareness program metrics while their incident numbers due to phishing were steadily climbing.
Continuous feedback loop
Human risk management creates a constant feedback loop between security operations and awareness training. As security teams detect new threats or vulnerabilities, this information can be rapidly incorporated into training materials and used to create more applicable awareness training campaigns. Conversely, trends observed in user behavior during training could inform security operations about potential blind spots or areas needing additional technical controls.
Imagine being able to inform the security team that because of a specific pattern of behavior, there may be cause to configure the endpoint security agent used across the organization to now allow certain types of files — and then be pointed to a five-minute, hands-on practice lab to learn how to do that specific configuration based on your endpoint security solution.
Contextual learning
By integrating real-world scenarios derived from the organization's security data, human risk management makes awareness training more relevant and engaging. Employees can learn from anonymized case studies based on actual incidents within their organization, making the training feel more immediate and applicable to their daily work. The anonymization maintains privacy and avoids embarrassment.
Risk-based resource allocation
With a more accurate understanding of human-related security risks, organizations can allocate their security resources more effectively. This could mean focusing more intensive training and monitoring on high-risk individuals or departments while maintaining a baseline level of awareness for lower-risk areas. Additionally, this will lead to understanding the overall organization's risks in ways not possible before.
Compliance and reporting
Human risk management systems can automatically generate comprehensive reports demonstrating the organization's proactive approach to security awareness. This can be invaluable for compliance, showing regulators that the organization is taking a data-driven, risk-based approach to security awareness training and user behavior modification.
Cultural shift
Most importantly, human risk management has the potential to drive a significant cultural shift within organizations. Making security awareness an ongoing, personalized process rather than an annual checkbox exercise can help embed security consciousness into every employee's daily operations.
The impact of human risk management
The integration facilitated by human risk management represents more than a technological advancement; it is a fundamental reimagining of how organizations approach human-centric security. By breaking down the silos between technical security operations and awareness training, human risk management paves the way for a more holistic, responsive and effective security posture. This convergence ensures that employees are not just passive recipients of generic security information, but active participants in a dynamic, data-driven security ecosystem tailored to their organization's specific needs and challenges.
As this approach matures and becomes more widespread, we can expect to see a significant reduction in human-factor security incidents, a more security-conscious workforce, and more resilient organizations in the face of ever-evolving cyber threats, which will only evolve faster under the power of AI-based attack techniques. By providing a more holistic and data-driven approach to security awareness, human risk management promises better outcomes for both organizations and individuals. It allows for more targeted interventions, continuous improvement, and a security culture responsive to real-world behaviors and threats.
Once upon a time, firewalls, intrusion detection systems, endpoint security, windows event logs, network logs and data loss protection logs were all independently managed. The work to correlate all those different logs from all those dissimilar sources became too much. This is exactly what a SIEM does and exactly why it was created. With the invention of SIEMs, we could finally see patterns across many log sources that were indicative of attacks, whereas, without that correlation, the attacks would have gone unnoticed.
Human risk management will have a similar impact on the human side of security. SIEMs made the security around devices, traffic and other sources so much more valuable since we could look at everything in relation to each other. Human risk management does the same, making all that data, security and awareness training and risk scoring significantly more valuable by bringing them closer together.
Phishing simulations & training
Takeaways: Human risk management
As human risk management systems evolve, their impact on organizational cybersecurity will be profound and far-reaching. By supporting both technical and non-technical personnel, these systems will foster more resilient organizations equipped with tailored, timely security guidance. It will cultivate adaptive security cultures where best practices become deeply ingrained and responsive to emerging threats. Furthermore, it will improve team collaboration by providing a common framework for addressing human-centric security risks. CISOs and security leaders will gain unprecedented insights into human factors affecting their security posture, enabling data-driven, targeted security investments.
The future of human risk management extends beyond managing end-user risks to comprehensively addressing the human element across entire organizations. By facilitating bidirectional information flow and expanding its scope to include technical teams, human risk management will become an indispensable component of modern cybersecurity strategies, driving continuous improvement and organizational resilience in the face of ever-evolving threats.
Human risk management represents more than just a technological upgrade — it is a fundamental reimagining of how we perceive and manage human risk, turning what was once seen as the weakest link in security into a dynamic, adaptive strength. And I am thrilled to be here and be part of it.
Contact us to chat if you want to learn more about how human risk management can benefit your organization.