Moving the Discussion from Awareness to Managing Human Risk


Posted on

In just about every security breach we read about nowadays, to the latest security reports such as the Verizon DBIR, human risk continually comes to the top of everyone’s list of security breach risk factors. By “human risk,” we mean everything from people being actively targeted by cyberattackers to simple human errors or mistakes, like autocomplete in email. With the human element playing such a large role in risk today, you would think organizations would have a program to actively manage it. However, that is often not the case. While many organizations do have a security awareness program, far too often, those programs are nothing more than a part-time effort with a compliance check-the-box focus.

In the 2021 SANS Security Awareness Report, we found that:

  • Over 70% of awareness professionals spend less than half of their time on awareness;
  • Most awareness officers come from highly technical backgrounds. While such individuals understand technology and the problems, they often lack the skills and training to effectively engage and communicate the solution to their workforce;
  • Some organizations do not place the security awareness program under the security or risk management team, which is critical to provide the support and partnerships needed to effectively manage human risk. Common mistakes include positioning security awareness under legal, audit or compliance, which simply reinforces the program’s compliance focus.

Awareness is key to helping organizations manage human risk, yet many organizations still fail to truly adopt it. After working in this field for so many years, a key problem I see is one of perception. Far too often, awareness is perceived as a communications initiative with the goal to engage your workforce with impactful training. While all of that is true, it does not explain the why of awareness. Instead, we need to move the discussion from Security Awareness to Managing Human Risk. We are in many ways talking about the same thing, but Managing Human Risk is far better at aligning with leadership’s strategic priorities, and far more likely to engage them and gain their support. Think about it. Imagine you meet the CEO in the elevator, and she asks you what you do. You have 15 seconds to respond. What would you say?

  • I’m the Security Awareness Officer. I’m responsible for communicating to and engaging our workforce on cybersecurity so they are more secure and ultimately help build a stronger security culture.
  • I’m responsible for managing our organization’s human cyber risk.

Ultimately, both are correct. However, the first statement explains what awareness does. The second explains why we do it. Which statement do you think will resonate stronger with senior executives? This is not merely a marketing issue but key to ultimately driving organizations to build stronger security programs. By shifting the conversation to managing human risk, we have a better understanding of what we are doing and why. As such, organizations begin to approach awareness programs differently. Instead of taking a communications/training focus and putting awareness under human resources, we are now moving awareness to the security team to better align with other security efforts. Instead of just identifying random topics and figuring out ways to gamify them, we are working with the security team to identify and prioritize top human risks and the key behaviors that manage those risks. In addition, awareness is no longer operating independently of the security team but integrating and assisting with other activities such as security-related communications and policy development.

As per the Verizon DBIR, human risk has been the fastest-growing risk for organizations for the past several years. We are learning that technology controls can go only so far, especially as technology gets more and more complicated and integrated with peoples’ daily lives. Also, we have become so good at using technology to secure technology that we are literally driving cyberattackers to target the human. Awareness programs are a powerful additional control for security teams to better manage organizational cyber risk. But we have to move the discussion from just a communications and training perspective to truly a risk management perspective for that to happen.

Human Element

security awareness

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs