Cybersecurity Human Risk Management Forum second meeting

Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework

May 23

Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.

View Profile

In this article

The Status Quo: Why Security Awareness Needs a Human Risk Management Approach The Business Case for Cyber Human Risk Management The Business Case for Cybersecurity Human Risk Management Key Challenges in Implementing Human Risk Management Enhancing Engagement with Adaptive Security Awareness Training Prioritizing Critical Security Controls to Mitigate Human Risk Leveraging Internal Influencers to Improve Cybersecurity Practices Building a Framework for Cyber Human Risk Management

Discover OutThink's Human Risk Management Platform

View Demo

Yesterday morning, May 22, 2024, a steadfast selection of security experts gathered for the second meeting of the Cybersecurity Human Risk Management Forum. The attendees included heads of Security GRC, security awareness leaders, and cybersecurity professionals who recognize the challenges of today’s human risk management approach and are eager to see it reimagined.

It didn’t hurt that the meeting took place in a private room at the Sky Garden, atop the locally-famous Walkie Talkie building in London. The discussion was robust and colorful. Here are some of the key points from this roundtable.

The Status Quo: Why Security Awareness Needs a Human Risk Management Approach

Current security awareness training methods are widely viewed as punitive rather than educational. Employees often regard mandatory training videos as a form of punishment. This sentiment underscores a broader issue: the current approach to security awareness is ineffective and indefensible.

The cybersecurity landscape is stuck in a time loop, facing the same challenges it did two decades ago. Despite regulatory requirements pushing industries like banking toward advanced cybersecurity measures, many organizations still lag. For example, one bank faced a $250 million fine for failing to manage human risk effectively, with an uphill remediation battle costing as much as $1 billion—highlighting the immense cost of regulatory compliance and subsequent improvements.

However, a compliance-centric focus can stifle genuine engagement and innovation, trapping organizations in a checkbox mentality that prioritizes legal cover over meaningful security improvements. One delegate went so far as to say they wished security were not a compliance requirement at all!

The Business Case for Cyber Human Risk Management

The Business Case for Cybersecurity Human Risk Management

ncidents and their root causes offer valuable insights into the effectiveness of current controls and training. By conducting root cause analyses (RCA) on all incidents, organizations can identify common causes, many of which stem from human error. This approach allows for targeted interventions and the implementation of more effective controls.

Additionally, the cost of time wasted on generic training is staggering. For instance, if 100,000 employees spend two hours each on irrelevant training, it equates to a significant financial drain. Shifting focus to training tailored to specific business risks and behaviors can yield better results and higher engagement. After all, if training is irrelevant to me, how much attention will I really pay?

Key Challenges in Implementing Human Risk Management

Many security teams, especially outside large financial institutions, are understaffed and under-resourced. For small to medium enterprises, the sophistication level in cybersecurity is notably low. To address these gaps, a Cyber Human Risk Management (CHRM) framework needs to be simple, consumable, and provide clear guidance on best practices.

According to participants of the Cybersecurity Human Risk Management Forum, human error and negligence are the most common factors in cybersecurity incidents, emphasizing the need for a streamlined and effective CHRM approach.

Enhancing Engagement with Adaptive Security Awareness Training

Engagement is the lifeline of any security awareness program. Making the content personal and relevant can significantly increase attention and retention. For example, training that helps employees protect their families may have a higher impact than generic corporate training.

Incentives and punishments can also play a role:

Employees with good risk postures could be granted more freedom, such as continued use of personal devices or social media at work.

Conversely, high-risk individuals might need additional training or face restrictions until they improve.

A major issue is the lack of a common engagement metric. Without a standardized way to measure and improve engagement, it’s challenging to identify high-risk individuals and provide them with the necessary support.

Prioritizing Critical Security Controls to Mitigate Human Risk

Organizations must prioritize security practices based on impact. Often, a small number of processes account for a large portion of company revenue. Identifying and implementing the most critical security controls is essential. For example, out of 3,000 lines in the ISF Standard of Good Practice, only 30 security controls might be necessary, with 15 being important and just 5 critical.

Leveraging Internal Influencers to Improve Cybersecurity Practices

Internal influencers can play an important role in identifying and reporting security issues. However, this can be a politically sensitive topic. Exposing flaws in security controls can lead to backlash from those who designed or audit these controls. A culture that supports and protects these influencers is vital for fostering a proactive security environment.

As noted in TechTarget's tips for building a cybersecurity culture, empowering these individuals as ambassadors can amplify the impact of security initiatives across the organization. By normalizing training and recognition, internal influencers can help bridge the gap between the security team and employees, encouraging the adoption of secure behaviors.

Building a Framework for Cyber Human Risk Management

The delegates in this session agreed that the cybersecurity industry lacks a standardized, systematic approach to managing human risk. There’s a need for a consistent, methodical framework that prioritizes actions and ensures effective implementation. The proposed CHRM framework aims to address these gaps, bringing structure and coherence to the management of cybersecurity human risk.

By adopting a structured CHRM approach, organizations can move beyond mere compliance, fostering a security culture that is engaging, effective, and resilient. For further insights into the benefits of the Human Risk Management framework, check out the OutThink Research Labs report. You can also subscribe to our newsletter and follow us on LinkedIn.

Enjoyed this blog post? Share it with someone!Share