Speakers
Synopsis
According to a 2024 Verizon report, 74% of cyber security breaches are due to human error. If that’s not enough of a staggering stat, 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack, or making an error.
As an industry, we need to do better. A shift needs to occur from thinking purely about risk and compliance to proactive, human-centric cyber security.
What actually is Human Risk Management (HRM)? Simply put, it is a concept that aims to reduce the cyber security risk posed by and to humans. Much of what HRM entails was previously known in the cyber industry as Security Awareness & Training (SA&T). The shift away was sparked by the recognition that SA&T is a more compliance-driven process, whereas HRM aims to be an “evidence-based method to train people and initiate policy interventions based on their risk profile (…) solutions focus on changing behaviors and promoting a security culture.” (Forrester, 2024).
Where does one start with HRM? Four key aspects of HRM need to be considered, as a bare minimum:
- Understanding your landscape
- Learning & development
- Policies & procedures
- Monitoring
These will each be explained in further detail as part of the conference paper and presentation.
It is highly unlikely that reflecting on these four things, anyone in the cyber security industry will think them irrelevant. Quantifying one’s human risk can be a hard and confronting exercise, but not trying to quantify it will be a price no one here would want to pay. HRM applies to everyone and needs to be incorporated into every CEO’s vision and CISO’s deliberate strategy moving forward.
If an end-to-end HRM strategy is outside an organisation’s present scope and budget, reasonably-priced tools and free templates do exist, and even tending to one aspect at a time will represent a small step towards a more secure future.
Ultimately, the theme for this conference is transform to evolve; unless organisations of every kind and size start thinking about how to deal with their Human Risk Management in a way that is relevant to them, they will be left behind by those who do. All the best governance and compliance, the fanciest tech, and the most cutting-edge cyber security will never protect an organisation from itself.
“When perimeter technology fails, people must step up. Given the right conditioning, they will. They’ll unite to become a ‘Human Intrusion Detection System,’ a set of sensors intuiting threats your controls miss. It’s human intelligence, not the artificial variety.” (Cofense, 2019)
