What Is Human Risk Management?
Human Risk Management (HRM) is an approach to risk mitigation where organizations focus on the human aspect of cybersecurity. By adopting HRM, organizations look at the world from their employees’ perspectives, mapping out the everyday behaviors, decisions, and actions that could impact the organization’s overall cybersecurity posture.
At its core, HRM involves shining a light on why humans behave the way they do. It delves into the psychology behind these behaviors and the factors that influence them, such as cognitive biases, stress, workload, morale in the workplace, and much more. By thoroughly understanding these psychological factors, the root cause of human risk in the workplace can be addressed with meaningful and targeted solutions.
Why Is Human Risk Management Important?
The importance of HRM is influenced by two key factors, namely, the perception by cybercriminals that humans are the weakest link and also the disproportionately heavy investment that organizations typically put into technical security measures. Because of these factors, humans have become the primary target of cybercriminals while simultaneously receiving the least investment from an organizational security standpoint. Let's explore these factors further.
Human Security Is Evolving
In the context of cybersecurity, the idea of HRM is a relatively new concept. It's essentially an evolution from security awareness, which focuses on education, to a holistic defense strategy, which covers human behaviors, decisions, and actions. Because of this evolution and the fact that many organizations are lagging in the implementation of HRM, cybercriminals have a perception that humans are ripe for exploitation, which means they are increasingly popular targets.
Technical Security Is Mature
The tools, systems, and processes for implementing technical security controls are relatively standardized and mature. In many cases, technical security is by design, with many operating systems now having some form of protection built-in at no additional cost. Because of this, the complexity of exploiting technical vulnerabilities has become increasingly difficult, making humans a more favorable and accessible target for cybercriminals.
Common Human Risk Management Initiatives
The key to HRM is coming at it from multiple angles, such that your organization is both consciously and subconsciously influencing the day-to-day behaviors, decisions, and actions of its employees. A range of HRM initiatives can be employed as part of this, with the most common outlined below:
Use Visual Reminders
By using cybersecurity posters, infographics, and desktop wallpapers, employees can be subconsciously reminded of their cybersecurity obligations without interrupting their day-to-day activities.
Define Clear Policies
By clearly defining and distributing cybersecurity policies, employees are provided a clear benchmark of what the organization considers acceptable behaviors, decisions, and actions.
Personalize Training
Providing secure code development training to a non-technical employee is a waste of their time. Training needs to be personalized based on an employee's role and skill level.
Introduce Gamification
For humans, competition is in our DNA, and the great part about gamification is that it introduces competition by reinforcing positive cybersecurity behaviors, decisions, and actions.
Send Monthly Newsletters
The tools, tactics, and techniques that cybercriminals use to exploit humans are constantly evolving. By sending a monthly cybersecurity newsletter, you can make employees aware of these changes.
Simulate Phishing Attacks
Practical experience will always trump theoretical knowledge. By periodically simulating phishing attacks, you can give employees first-hand experience with how phishing attacks look and feel.
Developing A Human Risk Management Strategy
A human risk management strategy needs to cover seven foundational components. Let's outline what these components are and what should be covered:
-
Purpose, Requirements, And Scope
The purpose, requirements, and scoping section of an HRM strategy needs to clearly outline what problem HRM is attempting to solve, how it's attempting to solve it, and who it applies to. By answering each of these questions, you're essentially declaring why HRM is important to your organization.
-
Formal Training Activities
By outlining formal training activities, you set the benchmark for the expected level of knowledge that employees must retain while working at the organization. This section needs to cover expectations for new starters, general employees, and also those employees who perform specialized functions that introduce additional cybersecurity risks (e.g., credit card handlers, privileged users, software developers, etc.).
It's important to identify all forms of direct and indirect training in this section, along with the frequency they're performed (e.g., new starter training conducted within 14 days of employment, phishing simulations conducted quarterly, etc.).
-
Employee Compliance Obligations
This section needs to clearly outline compliant and non-compliant behaviors, along with the outcome or consequence of repeated non-compliance. A strategy without any enforcement isn't worth the paper it's written on. When outlining what the organization determines to be non-compliant actions and the consequences of these actions, you're actually telling the employees just how important this strategy is and why they need to follow it.
-
Employee Engagement Measurements
Measuring employee engagement provides a way to track how effective certain HRM activities are while also identifying which employees need additional training. There are a variety of measurements that can be taken, but at a minimum, this section should identify how gamification is implemented and measured, how employee skill levels are measured, and how human risk is measured.
-
Roles & Responsibilities
Different stakeholders have different responsibilities when it comes to minimizing and managing human risk. In this section, the HRM strategy should clearly outline which team or person holds overall accountability for ensuring the strategy is followed, what the responsibilities of people managers are, and what the responsibilities of individual employees are.
This section helps to ensure the strategy is properly enforced while also providing employees with key information about who might be asking them to perform certain activities.
-
Supplemental Information
In this section, the strategy should outline all supplemental information that any employee needs to know so they can participate in HRM activities to their fullest extent. Examples of what might be included in this section include a schedule for employee non-compliance, a schedule of gamification metrics, skill level calculations, and human risk calculations.
Rapidly create a security awareness program designed to your unique needs and requirements
Create your program now!Practical Tips To Implement Human Risk Management
While implementing human risk management may seem like a daunting task, it doesn't have to be. Here are some quick, actionable tips any organization can follow:
- Start small and progressively evolve: You don't need to try and deploy every HRM strategy all at once. Start with what works for your organization first, ideally prioritizing based on the perceived return on investment.
- Ensure policies are accessible and actionable: Ensuring every employee has access to the relevant HRM policies isn't enough. You need to make sure every employee knows where they are and that HRM applies to them. Sending quarterly reminders is a good way to reinforce this.
- Foster a no-blame cybersecurity culture: Instead of blaming an employee for a cybersecurity incident, such as them falling victim to a social engineering attack, research the root cause and whether there are lessons learned for both the organization and employee alike.
- Ensure cybersecurity is consistent from the top down: Employees like to model their actions based on the actions of the executives above them. Setting one standard for executives and another for the general employee base sends the wrong message and hinders HRM adoption.
Frequently Asked Questions
What's The Difference Between Security Awareness And Human Risk Management?
Security awareness primarily focuses on cybersecurity education, whereas human risk management is a holistic approach to addressing human-related cybersecurity risks. Security awareness is often one component of many different human risk management initiatives.
Who Is Responsible For Human Risk Management?
Human risk management is the responsibility of every employee in an organization. Each individual needs to take accountability for their own behaviors, decisions, and actions. In saying this, executive management, and typically by delegation, the Chief Information Security Officer (CISO) is ultimately accountable for ensuring employees are empowered and equipped to handle emerging cybersecurity threats.
What's The Best Way To Communicate Human Risk To Executives?
Human risk management needs to be communicated to executives with a clear picture of costs and benefits. Wherever possible, try to use quantifiable outcomes with forecasted expenditures to showcase this.
For example, you could communicate the need to conduct monthly phishing simulations by outlining the costs to procure and maintain a phishing simulation tool, alongside the cost savings made through a reduction in risk to social engineering attacks. Use third-party studies and research papers to add weight to proposals such as this. This approach can then be extended across all aspects of human risk management.