The concept of Human Risk Management has been long in the making. In late 2019, when OutThink was first introducing this topic, it wasn’t part of plans or budgets for most cybersecurity leaders. In 2024, Human Risk Management has crossed from the fringe into the mainstream. Now, major vendors that swallowed up small human risk management players have rebranded themselves as HRM, repainting all their wares with a human risk management brush. As of the start of 2024, we have also been seeing some security awareness teams rebrand themselves as Human Risk Management teams. That’s how we know that HRM has finally arrived.
In this context, it’s important to understand what human risk management is, and what it is not. There is a lot of hype out there and to traverse the uncertainty gap as an industry, we need to be clear about implementation, required capabilities and where HRM can bring value.
Achieving a high level of human risk management maturity is gaining urgency for several reasons. The level of cybercrime is continuing to increase due to the sophistication of the criminal enterprises and nation states engaged in these activities. At the same time, the attack surface increases with every new technology added by the enterprise. Be it new tools and apps, open source software, new cloud-based architectures, or even new ways of deploying poorly-protected legacy systems. The scale of the Security Team’s task is getting out of hand.
At the same time, the cost of incidents is also growing. This year’s Verizon DBIR found that the cost of ransomware doubled in the last two years. Cyber risk policies are becoming more limited as the impact of cybercrime grows. Security budgets have grown tremendously in the last several years, in some cases even reaching 10% of IT budget. But even with growing budgets, Security Teams can’t keep up, and at an enterprise level this spend is not sustainable.
Human risk management defined
Overall, human risk management simply entails the upleveling of an organization’s awareness training and security culture program with behavioral analytics and integrations into key user touchpoints for actual behavior controls and data. The purpose of HRM is to take a customized, tailored approach in order to drive change towards secure behavior. The key components and practices of human risk management include:
- Human risk quantification – a way to score the multiple dimensions of riskiness at the individual employee level, then aggregated by department and business unit
- Behavioral analytics – a quantification of each individual’s attitudes and intentions towards secure behavior. These include self-efficacy, intent to comply, and level of knowledge
- Behavior analytics – tracking and quantification of past exhibited behaviors of each individual. Prior incidents, such as forgotten passwords, DLP violations and faulty website visits
- Integrations to user access points – systems such as DLP, CASB, web filtering, IAM, email and productivity tools such as Teams or Slack
- Adaptive SAT – awareness training content is a core part of a good human risk management platform, and the training needs to use all the above quantification to tailor content to each individual
- User feedback collection – a modern HRM system provides ample opportunity for the user to report misalignment with security policy, or explain processes when policy impedes productivity
- Management console – the toolkit to manage training campaigns and audiences, to synthesize collected feedback, and to create analytics reports
Some of these human risk management components are tools and technologies. Some are practices and processes. The Cybersecurity Human Risk Management framework, developed by the CHRM Forum spells out these HRM components in more detail.
Human risk management as a scaling agent
This is where human risk management becomes an urgent matter. Leveraging the employee base is the only way to keep up with the size of the Cyber exposure problem. Of course reducing the number of intrusions caused by humans carelessly clicking on links, but also collecting insights from colleagues in the business that can guide tools and processes and help stretch the security budget much further. And eventually providing material that enables regular employees, like accountants, executive assistants and vendor management specialists to partner with Security in seeking out vulnerabilities.
Human risk management with conditional logic
Human risk management focuses on identifying and mitigating risks related to human behavior within organizations, such as those arising from employee actions, leadership decisions, and organizational culture. Some organizations are starting down the path of using human risk scoring as a means for determining access to data or level of urgency for the SOC to consider in incident response. There are many instances where the human risk score can be used appropriately, or misused by the security team. The best approach is always to position security and HRM as an enabler to the business. Risk scores can be provided to line managers with recommended actions, but final decisions should not be taken unilaterally by the security team. The HRM data provides context for the business, but should never be used in the abstract.
Human risk management and security policy
Human risk management is essential for protecting companies against risks like fraud, compliance breaches, and operational failures. Once the key components of HRM are in place, the security team will have a rich dataset to understand human behavior in their organization, feedback on their security policies, and the best path to use HRM and policy for fostering a positive organizational culture. To some extent, modern HRM practice brings security policy from the dusty corners of the company intranet back into live focus. By integrating HRM into their overall risk management strategies, businesses can better safeguard their assets and maintain operational resilience.