The Issues

Risk management and human behaviour are no new terms in cybersecurity lexicon. When we think risk, we immediately recall the terms “vulnerabilities” and “threats”. To put it simply, a risk is the likelihood or potential that a threat may exploit a vulnerability to cause serious breaches and subsequently, harm to the organization. Over time, organizations have determined that their most sensitive “vulnerabilities” are their own human resources. Some of these organizations have gone on to pin humans down in their risk management strategies, enforcing defence mechanisms that are surely, penitentiary worthy. Others have stuck to the traditional security awareness and training efforts while hoping that superheroes will arise when there are serious problems.

Well, organisations utilise statistics in making crucial business decisions, and if the numbers show that up to 90% of data breaches are caused or impacted by human behaviour, then we can understand the stigmatization. The major problem with their risk management efforts as regards human resources is that they have focused solely on simply training the workforce and including this effort as a metric for compliance whereas the individuals that they are up against are not just training but, learning and practicing.

What about outsourcing the efforts? The problem with this approach is that the vendors themselves can sometimes mistake elaborate security awareness and training sessions to mean readiness to deal with whatever may come up. Most employees have limited technological capabilities and so to train Karen from finance to not be the weakest link in the organization will require much more than two ISMS or cybersecurity awareness training sessions.

How then can the organization maintain reasonable defence-in-depth walls and at the same time make sure that their diverse workforce does not become the key to unlock the gates to their walls?

The Issues

Risk management and human behaviour are no new terms in cybersecurity lexicon. When we think risk, we immediately recall the terms “vulnerabilities” and “threats”. To put it simply, a risk is the likelihood or potential that a threat may exploit a vulnerability to cause serious breaches and subsequently, harm to the organization. Over time, organizations have determined that their most sensitive “vulnerabilities” are their own human resources. Some of these organizations have gone on to pin humans down in their risk management strategies, enforcing defence mechanisms that are surely, penitentiary worthy. Others have stuck to the traditional security awareness and training efforts while hoping that superheroes will arise when there are serious problems.

Well, organisations utilise statistics in making crucial business decisions, and if the numbers show that up to 90% of data breaches are caused or impacted by human behaviour, then we can understand the stigmatization. The major problem with their risk management efforts as regards human resources is that they have focused solely on simply training the workforce and including this effort as a metric for compliance whereas the individuals that they are up against are not just training but, learning and practicing.

What about outsourcing the efforts? The problem with this approach is that the vendors themselves can sometimes mistake elaborate security awareness and training sessions to mean readiness to deal with whatever may come up. Most employees have limited technological capabilities and so to train Karen from finance to not be the weakest link in the organization will require much more than two ISMS or cybersecurity awareness training sessions.

How then can the organization maintain reasonable defence-in-depth walls and at the same time make sure that their diverse workforce does not become the key to unlock the gates to their walls?

Human Risk Management to Save the Day

Human risk management or HRM has garnered quite the buzz recently and understandably so. It moves away from just enlightenment and awareness to measuring, predicting, and managing the risks associated with the behaviour and actions of human beings, the workforce. It is the process involved in identifying, evaluating, and prioritizing human-centric risks in order to effectively apply strategies that will reduce, monitor, and control the consequences of the established risks.

This means that early indicators of potential vulnerabilities and their apparent risks will be identified as individuals are basically, studied. Now, instead of solely depending on statistics, the organization can focus also on determining the actions of the workforce and turn their findings into valuable insights to form mappings of vulnerabilities to risks and threats. The humans are no longer the villains but the avengers.

To fully understand how this approach can contribute to an organization’s success story, the following components must be understood.

  • The workforce as the centre.
    Users are no longer subjected to stereotypes or just expected to be aware of threats. Rather than being perceived as weaknesses, they become an integral component of the defence. They are categorised according to potential dangers and appropriately addressed to lower such risks.
  • Data and analysis as the backbone.
    Research efforts and grasp of each user’s possible danger, forms the backbone of HRM. Users can be shared into teams or studied in accordance with their jobs and the tools they often use and utilise,
  • Risk reduction as the end goal.
    While traditional efforts aim at making sure that the workforce are enlightened enough to avoid risks and even mitigate base-level compromise, HRM does that and then some. They become an essential part of the defence as a result. Based on findings, targeted education can be given to users based on their possible risks. By employing instruments for monitoring and even control, each user learns how to protect whatever is entrusted to their care.

After these components have been established, a system must be established to harness all the data. A number of platforms offer this solution as a platform and even though features may vary, the basics will remain. These basics include:

  • Identification: This step involves identifying users based on their propensity to commit digital slip ups that can lead to breaches. It provides information on these users’ security habits, security comprehension level, and the likelihood of falling for social engineering schemes or other cyberattacks. Methods like surveys, tests, user activity etc can be used.
  • Quantification: The indices for classifying users from riskiest to safest are defined here. There are several approaches to this, including considering the architecture of the organisation, the user’s digital behaviour and their role in the organization. Below is a basic example:
Employee/Team Role Understanding of cybersecurity Assessment of digital behaviour (based on surveys, tests, user activity) Risk Score (/10)
A Payroll Admin Security awareness trainings and ISMS outreaches only – Prefers logging in to work applications on mobile devices while on the move. – Enjoys downloading movies from websites that utilize peer-to-peer technology on the same mobile device. 8
B IT Support Takes cybersecurity courses and has base-level understanding of security. – Strictly uses work-assigned computer for only work-related activities and uses personal devices for recreation. 2
Human Risk Management to Save the Day

Human risk management or HRM has garnered quite the buzz recently and understandably so. It moves away from just enlightenment and awareness to measuring, predicting, and managing the risks associated with the behaviour and actions of human beings, the workforce. It is the process involved in identifying, evaluating, and prioritizing human-centric risks in order to effectively apply strategies that will reduce, monitor, and control the consequences of the established risks.

This means that early indicators of potential vulnerabilities and their apparent risks will be identified as individuals are basically, studied. Now, instead of solely depending on statistics, the organization can focus also on determining the actions of the workforce and turn their findings into valuable insights to form mappings of vulnerabilities to risks and threats. The humans are no longer the villains but the avengers.

To fully understand how this approach can contribute to an organization’s success story, the following components must be understood.

  • The workforce as the centre.
    Users are no longer subjected to stereotypes or just expected to be aware of threats. Rather than being perceived as weaknesses, they become an integral component of the defence. They are categorised according to potential dangers and appropriately addressed to lower such risks.
  • Data and analysis as the backbone.
    Research efforts and grasp of each user’s possible danger, forms the backbone of HRM. Users can be shared into teams or studied in accordance with their jobs and the tools they often use and utilise,
  • Risk reduction as the end goal.
    While traditional efforts aim at making sure that the workforce are enlightened enough to avoid risks and even mitigate base-level compromise, HRM does that and then some. They become an essential part of the defence as a result. Based on findings, targeted education can be given to users based on their possible risks. By employing instruments for monitoring and even control, each user learns how to protect whatever is entrusted to their care.

After these components have been established, a system must be established to harness all the data. A number of platforms offer this solution as a platform and even though features may vary, the basics will remain. These basics include:

  • Identification: This step involves identifying users based on their propensity to commit digital slip ups that can lead to breaches. It provides information on these users’ security habits, security comprehension level, and the likelihood of falling for social engineering schemes or other cyberattacks. Methods like surveys, tests, user activity etc can be used.
  • Quantification: The indices for classifying users from riskiest to safest are defined here. There are several approaches to this, including considering the architecture of the organisation, the user’s digital behaviour and their role in the organization. Below is a basic example:
Employee/Team Role Understanding of cybersecurity Assessment of digital behaviour (based on surveys, tests, user activity) Risk Score (/10)
A Payroll Admin Security awareness trainings and ISMS outreaches only – Prefers logging in to work applications on mobile devices while on the move.
– Enjoys downloading movies from websites that utilize peer-to-peer technology on the same mobile device.
8
B IT Support Takes cybersecurity courses and has base-level understanding of security. – Strictly uses work-assigned computer for only work-related activities and uses personal devices for recreation. 2

This is a simple example of quantifying the risks posed by individuals. It could be more elaborate depending on the scope of the organization and the method utilized per platform.

  • Integration: When a scoring system has been finalized, each user is put on a training plan tailored to the identified risks. It also involves setting up policies and procedures for them to follow in case they encounter a threat.
  • Post-integration plans: After integration, it is crucial to constantly report results and review and improve human risk management efforts. Determine periods of reflection and assessment. Consider the impact of Machine Learning and Artificial Intelligence on growing technology and ensure that existing efforts have not become Egyptian Mommies.

Conclusion

In conclusion, security awareness and training are distinct from—and indeed, constituents of—human risk management. Human Risk Management changes the security culture of an organization by helping them visualize how the behaviour of their human assets can affect their journey to the light at the end of the tunnel. By assessing, quantifying, and ultimately properly handling each risk, the organization can rest assured that their workforce is not just secured but is a part of the security.

Conclusion
In conclusion, security awareness and training are distinct from—and indeed, constituents of—human risk management. Human Risk Management changes the security culture of an organization by helping them visualize how the behaviour of their human assets can affect their journey to the light at the end of the tunnel. By assessing, quantifying, and ultimately properly handling each risk, the organization can rest assured that their workforce is not just secured but is a part of the security.