First Cybersecurity Human Risk Management Forum in London

Cybersecurity Human Risk Management Forum Kicks Off in London

Apr 18

Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.

View Profile

In this article

Why is Human Risk Management so Important in Cybersecurity?Key Takeaways on Human Risk Metrics and Employee Engagement in Cybersecurity Implementing Human Risk Management Metrics How to Foster Engagement in Human Risk Management Overcoming Challenges to Human Risk Management Join Us at the Next CHRM Forum

Discover OutThink's Human Risk Management Platform

View Demo

This morning, under a lovely London sky, a diverse group of Cybersecurity professionals gathered for a breakfast roundtable at The Exchange, a charming private room at the Andaz Liverpool Street in The City. Our purpose? To delve into the intricacies of the Cybersecurity Human Risk Management (CHRM) framework. This is the first in a series of many such work sessions. The room buzzed with energy as representatives from various esteemed organizations took their seats. Among the participants were BAE, Murphy Group, The University of the Arts London, Wawanesa Insurance, KPMG, and OutThink. The discussion was robust, fueled by steaming cups of coffee and flaky pastries.

Why is Human Risk Management so Important in Cybersecurity?

Human error remains the most significant cause of cybersecurity breaches, a fact that makes human risk management (HRM) an indispensable aspect of organizational resilience. As recent reports reveal, humans are responsible for 74% of all breaches, whether through negligence or malicious intent. This high-risk exposure emphasizes why CHRM needs to be treated as any other critical risk area—complete with metrics, assessments, and a long-term mitigation plan. According to Chris Madasheko’s article in the ISACA, reducing human risk requires more than awareness; it involves fostering a security culture where vigilance and understanding are embedded into every level of the organization. The CHRM Forum serves precisely this purpose: a collaborative space where cybersecurity leaders can jointly navigate the complexities of human risk and refine approaches to elevate security across their organizations.

Key Takeaways on Human Risk Metrics and Employee Engagement in Cybersecurity

We dissected the challenges faced in Human Risk Management, sharing insights, anecdotes, and innovative approaches. We reviewed the CHRM Framework that we’ve been building with industry participants, complete with its own maturity model. As part of this review, we touched on topics such as measuring cyber-risk exposure of personnel, quantifying the value (or ROI) of a security program, and convincing non-Security people to take ownership of the cybersecurity problem at least to some extent.

Good metrics help all employees and executives understand progress on such an abstract topic as cyber risk. Some of the key takeaways regarding metrics were:

Complex Metrics are a Challenge: Describing intricate, high-maturity metrics to the board remains a hurdle. Simplicity wins! It’s easier to explain completion rates and phishing simulation clicks.

Company-Wide Exposure Metrics: Focusing on broader company-wide exposure metrics provides a clearer picture of risk.

Hotspot Identification: We emphasized pinpointing hotspots—those critical areas where risks converge. Actionability stems from precise targeting.

General Awareness: An intriguing idea surfaced—one practiced by a large services firm—a counter in their lobby displaying the number of days since the last incident (not necessarily cyber-related). A visual reminder for all.

Implementing Human Risk Management Metrics

Establishing meaningful metrics is at the heart of HRM, and yet it remains an elusive goal for many organizations. While technical defenses can be quantified with relative ease, human-centric metrics—those that capture an employee’s engagement with security practices, for example—require a different approach. Several participants shared how simpler, more accessible metrics, like participation rates in phishing tests, provide valuable, actionable insights. Still, the need for more advanced metrics—ones that capture nuanced behaviors and map these to risk levels—was a recurring theme. For organizations aiming for high maturity in HRM, the ability to balance complexity with clarity in metrics is often the differentiator.

How to Foster Engagement in Human Risk Management

Driving genuine employee engagement emerged as an equally complex undertaking. The discussion reinforced that creating a culture of accountability and vigilance goes beyond mere awareness training. An idea shared by one participant, a long-standing proponent of human risk management, involved highly visible, everyday reminders that keep cybersecurity top of mind. Another participant noted the power of peer influence—where engaged employees set the tone for their colleagues. The consensus was that while frameworks and models are essential, the human element—the willingness of employees to internalize these practices—remains both the greatest challenge and the most crucial element in a successful HRM strategy.

Overcoming Challenges to Human Risk Management

Another challenge we covered was the business case for investing in CHRM. How to put a value on having lower risk exposure. One of the participants uses a sophisticated model to value risk using Monte Carlo simulations of potential Cyber incidents, and the likely cost of such incidents as cyber-resilience improves. Another participant described a model by which to value the impact of poor cyber hygiene on company revenue. We all know revenue gets everyone’s attention!

Lastly, the enormous issue of ownership and engagement from all employees, from the board to management to line workers. The consensus was that most of the companies we work with are full of people who don’t “get” why security is important. Examples of people bypassing controls are plentiful. There are companies among us that have been breached the same way multiple times. Each time there’s a breach, one would think behaviors would improve, but so often they just seem to revert to the mean. Getting the business engaged in the problem, that is to care, still remains the biggest obstacle to tackling that elusive human layer of our defenses. And while employee buy-in is widely acknowledged as essential, achieving it demands far more than compliance; it requires cultivating a mindset where security is a shared responsibility, valued across all levels of the organization.

Join Us at the Next CHRM Forum

The next installments in this discussion are being planned for the week of May 13th in NYC and then back in London the week of May 20th. Interested in advancing the conversation on human risk management in cybersecurity? Connect with us for updates on upcoming CHRM forums and insights from industry leaders.

Enjoyed this blog post? Share it with someone!Share