#Infosec2024: Why Human Risk Management is Cybersecurity’s Next Step for Awareness


In the realm of cybersecurity, despite the ongoing warnings about the sophisticated tactics of cyber threat actors, the vulnerability of human behavior remains a primary point of entry for attackers. This realization has given rise to the concept of human risk management (HRM), which emphasizes targeted interventions guided by intelligence to enhance security practices.

The significance of human risk factors was underscored in Verizon’s 2024 Data Breach Investigations Report (DBIR), revealing that 68% of all breaches in 2023 involved a non-malicious human element.

While cybersecurity awareness training has long been a staple in organizations, issues persist due to human errors, such as falling prey to phishing emails by clicking on malicious links.

John Scott, Lead Cyber Security Researcher at CultureAI, points out that people are prone to mistakes, often influenced by factors like time pressure or external demands. Recognizing this reality has led to the development of HRM, which aims to proactively identify individual risks and implement targeted interventions.

How Human Risk Management Enhances Cybersecurity:

Traditional security awareness training imparts knowledge about cybersecurity risks but falls short in training reactions and habits. HRM focuses on understanding actual employee behaviors across the organization to pinpoint cyber risks and provide timely coaching to correct them.

This approach avoids training fatigue and encourages employee engagement by delivering relevant interventions tailored to individual behaviors. Instead of imposing directives, HRM employs nudges to alert employees to potentially insecure actions, allowing them to make informed decisions.

These nudges are designed to prompt employees to reconsider their actions, such as questioning the sharing of sensitive information on public platforms like Slack. Additionally, combining nudges with security processes that facilitate secure choices enhances cybersecurity practices.

Implementing Human Risk Management Effectively:

Automation technologies play a crucial role in gaining visibility into workforce activities, offering a comprehensive overview of risks across the organization. Integration of HRM platforms with various data sources ensures continuous monitoring of human risks and facilitates timely interventions.

Continuous updates and integration with new technology capabilities are essential for HRM programs to remain effective. Insights from HRM can inform targeted awareness training, enabling organizations to tailor training content and exercises to address specific vulnerabilities observed among employees.

Innovative approaches to mitigating cyber threats targeting human behavior will be a focal point of the Infosecurity Europe conference program, scheduled from June 4-6 at the ExCel in London. Attendees can register to participate in discussions and workshops aimed at enhancing cybersecurity practices in the face of evolving threats.

Source: infosecurity-magazine.com