I’m a Human Risk Manager (I Think?)

I’m a Human Risk Manager (I Think?)

Jun 03

John Scott
John ScottJohn Scott is the owner of Wildpark Security Consultancy which helps organizations improve security awareness, behavior, and culture. He formerly led security research at a Human Risk Management platform and ran the security culture program at the Bank of England for seven years. A SANS Certified Instructor, John trains global audiences on managing human risk and driving culture change. With 35 years as an IT trainer, he’s passionate about making complex topics accessible and categorically rejects the idea that “people are the weakest link.”
View Profile

If you’re keeping any sort of eye on the bit of security where we look at how humans behave, you can’t help but think we're having a bit of an identity crisis. We used to be called Security Awareness, and that was fine, but then people started saying, “Well, awareness isn’t enough! We need to do more!” We then witnessed the rise of Human Behavior and Security Culture - all good things, and important. But none of those names really seemed to stick.

And now (as if we needed yet more terminology), we’ve started talking about Human Risk. More specifically, how professionals are now Human Risk Managers, not Security Awareness Officers. Human Risk was more dynamic, more powerful … in many ways more accurate. And that was it. We’re now decided. We are all Human Risk Managers.

Except.

There’s always an except, isn’t there?

Except, some people don’t like it. Why? Let’s start with some history.

History Lesson: On the Naming of Names

Way back towards the end of the last millennium (1996, if we’re going to be precise) the venerable National Institute for Science and Technology issued a Special Paper, numbered 800-50. Which from herein will be NIST SP800-50. Or SP800-50. Or ‘that damn paper.’ And in SP800-50 they defined the elements necessary for a good security awareness program.

First, they defined awareness. And since they largely came from an academic and technical background, they saw ‘Awareness’ as belonging to the learning space; so they asked learning developers. ‘Awareness,’ as defined by NIST, goes along with ‘Training’ and ‘Education’ as three different aspects of learning. It inherently includes behavior change because we all thought people were rational and assumed that as soon as they were aware of a risk, they’d do something about it. ‘Thinking Fast and Slow’ by Daniel Kahneman put the last nail in that particular rationalist coffin.

Jump forward 20 years to the mid-2010’s and many people (myself included) were using the phrase ‘Awareness is not enough!’ We thought we should also be looking at behavior change, and then cultural change, to really impact our organizations.

Someone at NIST is saying “yes, we said that!”

Sadly, no one really listened to them.

Then, the field matured: not just awareness, but security more widely, and we all realized that cybersecurity’s role is to reduce risk for the business, not just protect things. Which meant that awareness, behavior change, and cultural change should all be risk related. More specifically, human risk related.


Which now makes us Human Risk Managers. Maybe.

Why Names Matter

Names are really important.

They’re one of the things that define us as humans. We’re a classifying species (as a trained librarian, of course I would say that). There are whole heaps of stories where knowing someone’s true name gives you power over them.

When we discuss what we are called as a profession, it matters. If you’re job seeking, how do you search for roles? That’s where Security Awareness has the benefit of history and familiarity, but also suffers from an image problem. Many people see Awareness as that stereotypical ‘mandatory e-learning’ or ‘Computer Based Training’ that happens once a year and doesn’t make a difference.

Cybersecurity Human Risk Management isn’t Security Awareness 2.0.It’s looking to do something different.

So, what is that?

Human Risk Management or Security Awareness?

There’s a lot of people, especially vendors, trying to tell you that they’re doing Cybersecurity Human Risk Management. And that’s fine. They’ve got a product to sell that hopefully fixes problems and creates value. If you talk to enough of them, as I have, you’ll start to see the commonalities in what they’re talking about.

Here’s what I’ve learned, and how I define Human Risk Management (HRM):

  1. Data, not guesswork: ‘Awareness’ is a broad-brush tool – we look at past incidents and try and learn from them. As much as possible, HRM looks at real work data – it uses information from a variety of sources to monitor and track your colleagues in as near to real time as possible. It might look at Teams, Slack, Secure Mail Gateways, SharePoint – anywhere where people are using data or communicating.
  2. Actions, not beliefs: people’s beliefs, attitudes, and values about security can be a massive driver of your organization’s security culture. But they’re not directly part of human risk management, they feed into it. HRM looks at what actually happened. To a certain extent, it doesn’t matter why someone clicked on a link or misconfigured a cloud service. What matters is that they did. Because now you have a problem to solve.
  3. Specific, not widespread: Human Risk Management should using the data of behaviors to target and support the people who need it, not bothering the people who are making secure decisions, and behaving appropriately. Let them get on with it (but maybe use them as good examples).
  4. Fix first, train later: When the house is on fire, lectures about fire safety are less important than doing something, even if it’s just phoning the fire brigade. So HRM is about doing something. That might be firing off an alert to your security team or using IDAM systems to lock down risky files with PII in them.
    Training is important, don’t get me wrong. But it’s not a silver bullet that prevents people from committing errors. Even highly trained people get it wrong.
  5. Actionable feedback: I once fell for two phishing simulations in a row. But what was really useful was that the feedback I got was personal to me and actionable. It told me that my personal risk profile was basically ‘reading emails on the train in the morning’ and that’s exactly when I missed that they were both phishes. Now I know to focus more when I’m commuting in (and not read emails before coffee).
  6. More than phishing: We know that phishing (and all the other related social engineering ‘ishings’) is still the main threat vector for cyber criminals and fraudsters. But it’s not the only risk that our organizations face, and that means that HRM needs to look at other areas where we interact with technology, might make mistakes, or be susceptible to cyber criminals.

HRM as an Approach, Not Product

As a concept rather than a product, Human Risk Management is a way to help us hone in on the inevitable errors that people commit without putting more pressure on them. And doing so without annoying or inconveniencing the people who are already doing the right thing.

It’s not about making everyone care about security, it’s about supporting them in making the right decisions when needed and fixing the problems that need fixing as quickly as possible.

Working With the Human Factor in Cyber

‘Human error’ is a lazy response. If someone tells you that they’ve looked into an incident and the root cause was ‘human error,’ laugh at them. Human error is inevitable. Decades of research tell us that. Having humans in a system is an inherent risk.

But let’s be very clear about a few points to conclude:

  • Humans are why the systems exist. There isn’t an organization in the world that wasn’t built by people, for people. And we give people choices to make deliberately: to use their skill, judgement, and discernment to give us the best outcome. Sometimes, that means they’ll get it wrong.
  • All humans commit errors. That means you, security team. You’re not immune.
  • We don’t expect perfection from any other layer in our defenses. Why do we expect it of our end users? Any phishing email in my inbox has beaten all of your technical defenses. So why is it my fault if I click?
  • Human risk management shows us where risk exists in our organizations and give us the tools to reduce that risk. It’s not about blame, it’s about helping our people be safe, and letting them get on with their lives and their work.

Life is risky by nature. Let’s help our humans manage it.

Share

Build Effective and Sustainable Security With OutThink

Related Articles
I’m a Human Risk Manager (I Think?)
John Scott
03/06/2025

I’m a Human Risk Manager (I Think?)

Read More about AI-Native Cybersecurity Human Risk Management
The Cyber Risk Within: Insider Threats
Olivia Debroy
26/05/2025

The Cyber Risk Within: Insider Threats

Read More about AI-Native Cybersecurity Human Risk Management
What Is ‘Human Risk’ in Cyber?
Olivia Debroy
26/05/2025

What Is ‘Human Risk’ in Cyber?

Read More about AI-Native Cybersecurity Human Risk Management
How to Run a Cybersecurity Awareness Training Program in Academia
Ravi Miranda
15/05/2025

How to Run a Cybersecurity Awareness Training Program in Academia

Read More about AI-Native Cybersecurity Human Risk Management
Phishing in 2025: Cybercriminals Are Smarter Than You Know
Olivia Debroy
14/05/2025

Phishing in 2025: Cybercriminals Are Smarter Than You Know

Read More about AI-Native Cybersecurity Human Risk Management
Why Cybersecurity Human Risk Management Benefits CISOs
Gry Evita Sivertsen
29/04/2025

Why Cybersecurity Human Risk Management Benefits CISOs

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity's Comfort Zone Problem
Jane Frankland
15/04/2025

Cybersecurity's Comfort Zone Problem

Read More about AI-Native Cybersecurity Human Risk Management
Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training
Roberto Ishmael Pennino
11/04/2025

Turning Employees into Payment Security Champions: Your Guide to Free PCI Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
AI Phishing: The Rising Threat of Intelligent Cyber Deception
Roberto Ishmael Pennino
02/04/2025

AI Phishing: The Rising Threat of Intelligent Cyber Deception

Read More about AI-Native Cybersecurity Human Risk Management
What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws
Jane Frankland
01/04/2025

What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws

Read More about AI-Native Cybersecurity Human Risk Management
Smishing: The Phishing Attack That Lives in Your Pocket
Roberto Ishmael Pennino
24/03/2025

Smishing: The Phishing Attack That Lives in Your Pocket

Read More about AI-Native Cybersecurity Human Risk Management
How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science
Rory Attwood
11/03/2025

How Adaptive Security Awareness Training Drives Better Cybersecurity Outcomes: The Science

Read More about AI-Native Cybersecurity Human Risk Management
Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection
Roberto Ishmael Pennino
10/03/2025

Quishing: When QR Codes Become Cyber Traps - Your Essential Guide to Protection

Read More about AI-Native Cybersecurity Human Risk Management
Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore
Roberto Ishmael Pennino
10/03/2025

Domain Spoofing: The Cyber Trick You Can’t Afford to Ignore

Read More about AI-Native Cybersecurity Human Risk Management
PIPEDA Compliance: Why PIPEDA Training is Important
Roberto Ishmael Pennino
21/02/2025

PIPEDA Compliance: Why PIPEDA Training is Important

Read More about AI-Native Cybersecurity Human Risk Management
CCPA Training: Building a Culture of Privacy and Compliance
Roberto Ishmael Pennino
10/02/2025

CCPA Training: Building a Culture of Privacy and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws
Roberto Ishmael Pennino
31/01/2025

Data Privacy Week: How Convention 108 Paved the Way for Modern Privacy Laws

Read More about AI-Native Cybersecurity Human Risk Management
TISAX Training: Strengthening Automotive Information Security and Compliance
Roberto Ishmael Pennino
27/01/2025

TISAX Training: Strengthening Automotive Information Security and Compliance

Read More about AI-Native Cybersecurity Human Risk Management
GDPR Training: Building a Culture of Compliance
Roberto Ishmael Pennino
20/01/2025

GDPR Training: Building a Culture of Compliance

Read More about AI-Native Cybersecurity Human Risk Management
What Is DORA? DORA Training for Compliance
Dr. Charlotte Jupp
20/01/2025

What Is DORA? DORA Training for Compliance

Read More about AI-Native Cybersecurity Human Risk Management
Risk Quantification for Cybersecurity Human Risk Management
Lev Lesokhin
13/12/2024

Risk Quantification for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive SAT: The Future Is Now
Roberto Ishmael Pennino
12/11/2024

Adaptive SAT: The Future Is Now

Read More about AI-Native Cybersecurity Human Risk Management
NIST Recommends New Guidelines for Password Security
Roberto Ishmael Pennino
11/11/2024

NIST Recommends New Guidelines for Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Empowering Organizations with Adaptive Security Awareness Training
Roberto Ishmael Pennino
07/11/2024

Empowering Organizations with Adaptive Security Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
Why Humans Should Be the New Frontline in Cyber Defense
Roberto Ishmael Pennino
06/11/2024

Why Humans Should Be the New Frontline in Cyber Defense

Read More about AI-Native Cybersecurity Human Risk Management
Behavioral Analytics Are Changing Cybersecurity
Roberto Ishmael Pennino
04/11/2024

Behavioral Analytics Are Changing Cybersecurity

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here
Roberto Ishmael Pennino
01/11/2024

Cybersecurity Awareness Month 2024: Your Security Journey Doesn't End Here

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Training for Remote Workforces
Roberto Ishmael Pennino
25/10/2024

Cybersecurity Awareness Training for Remote Workforces

Read More about AI-Native Cybersecurity Human Risk Management
Would You Skip an Update if You Knew What It Could Cost You?
Roberto Ishmael Pennino
24/10/2024

Would You Skip an Update if You Knew What It Could Cost You?

Read More about AI-Native Cybersecurity Human Risk Management
Why Every Cyber Strategy Fails Without This Element
Roberto Ishmael Pennino
22/10/2024

Why Every Cyber Strategy Fails Without This Element

Read More about AI-Native Cybersecurity Human Risk Management
Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today
Roberto Ishmael Pennino
21/10/2024

Your Password Isn't Enough: Why Your Digital Life Needs Multifactor Authentication Today

Read More about AI-Native Cybersecurity Human Risk Management
Is Your Cybersecurity Working From Home Too?
Roberto Ishmael Pennino
18/10/2024

Is Your Cybersecurity Working From Home Too?

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management Gets Adaptive
Lev Lesokhin
08/10/2024

Human Risk Management Gets Adaptive

Read More about AI-Native Cybersecurity Human Risk Management
Your Cybersecurity Is Only as Strong as Your People
Roberto Ishmael Pennino
08/10/2024

Your Cybersecurity Is Only as Strong as Your People

Read More about AI-Native Cybersecurity Human Risk Management
The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024
Roberto Ishmael Pennino
07/10/2024

The Email That Could Cost You Everything: Your Essential Guide to Recognizing Phishing in 2024

Read More about AI-Native Cybersecurity Human Risk Management
How Ready Is Your Workforce for a Real Phishing Attack?
Roberto Ishmael Pennino
01/10/2024

How Ready Is Your Workforce for a Real Phishing Attack?

Read More about AI-Native Cybersecurity Human Risk Management
What is Cybersecurity Human Risk Management? What You Need to Know
Lev Lesokhin
23/09/2024

What is Cybersecurity Human Risk Management? What You Need to Know

Read More about AI-Native Cybersecurity Human Risk Management
Engagement Strategies for Cybersecurity Human Risk Management
Lev Lesokhin
16/08/2024

Engagement Strategies for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Enhance Your Phishing Training With Outthink
Lavinia Manocha
02/08/2024

Enhance Your Phishing Training With Outthink

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training for Frontline Workers
Lavinia Manocha
26/07/2024

Adaptive Security Awareness Training for Frontline Workers

Read More about AI-Native Cybersecurity Human Risk Management
The Role of Security Awareness Training After IT Outages
Lev Lesokhin
26/07/2024

The Role of Security Awareness Training After IT Outages

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management's Eight Dimensions of Secure Behavior Segmentation
Lev Lesokhin
25/07/2024

Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Read More about AI-Native Cybersecurity Human Risk Management
State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business
Lev Lesokhin
18/07/2024

State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training: Unlearning and Relearning Routines
Lev Lesokhin
10/07/2024

Adaptive Security Awareness Training: Unlearning and Relearning Routines

Read More about AI-Native Cybersecurity Human Risk Management
Did You Think Your Password Was Secure? Let’s Talk Password Security
Lev Lesokhin
24/05/2024

Did You Think Your Password Was Secure? Let’s Talk Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework
Lev Lesokhin
23/05/2024

Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework

Read More about AI-Native Cybersecurity Human Risk Management
Password Security: Why the UK is Banning Generic Passwords
Lev Lesokhin
17/05/2024

Password Security: Why the UK is Banning Generic Passwords

Read More about AI-Native Cybersecurity Human Risk Management
Instagram Security Awareness Training: A Step-by-Step Guide
Lev Lesokhin
10/05/2024

Instagram Security Awareness Training: A Step-by-Step Guide

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Human Risk Management Forum Kicks Off in London
Lev Lesokhin
18/04/2024

Cybersecurity Human Risk Management Forum Kicks Off in London

Read More about AI-Native Cybersecurity Human Risk Management
Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step
Rory Attwood
31/01/2024

Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step

Read More about AI-Native Cybersecurity Human Risk Management