By Javvad Malik, lead CISO advisor at KnowBe4
In the relentless battle against cyber threats, organisations have poured billions into advanced technologies – firewalls, intrusion detection systems, endpoint protection. Yet, the alarming truth remains: the human element is implicated in 68% to 90% of security breaches. This isn’t a call to point fingers, but a moment for introspection. In an age where employees are perpetually busy, often distracted, and increasingly remote, simply “raising awareness” with generic, compliance-driven training is no longer enough. The traditional playbook, focused only on technology or infrequent training, has a critical strategic gap. That gap is human risk management (HRM).
Hacking Human Nature
Cybercriminals are no longer just hacking systems; they are hacking human nature. They exploit our innate desires to be helpful, our respect for authority, our fear of missing out, or simply a fleeting moment of distraction. These social engineering tactics, now amplified by AI, make it difficult for even the most vigilant employee to spot a threat, especially when traditional detection technology often falls short.
Shifting to a Human-Centric Approach
This reality demands a fundamental shift from a siloed, reactive approach to a holistic, human-centric one. HRM is not merely a rebranding of security awareness and training (SAT); it’s a strategic, continuous process that integrates technology with an understanding of human behaviour. It’s about recognising that people inevitably make mistakes and building a resilient organisation that protects itself by proactively addressing human-derived risk.
The Limitations of Traditional Security Awareness and Training
An effective HRM strategy must be built on a clear understanding of behavioural science. Traditional SAT often suffers from a lack of engagement, generic content that fails to address specific roles and risks, and a persistent “awareness-action gap.” Knowing a policy doesn’t guarantee its application under pressure, especially when cognitive biases like authority bias, optimism bias, and familiarity bias are exploited by attackers.
Core Principles of Modern Human Risk Management
A modern HRM approach embraces several core principles:
- Identify Weak Spots: Comprehensive risk assessments are essential to understand individual vulnerabilities and behaviours.
- Personalisation: Training and interventions must be tailored to the specific threats and learning needs of different teams and roles.
- AI and Automation: Intelligent technology is crucial for scaling the approach, personalising interventions, and deriving data-driven insights.
- Risk Quantification: HRM is an iterative process, constantly refining strategies based on metrics to give you a defensible, quantifiable human risk score.
- Making Policy Human: Policies should be clear, empathetic, and relevant, designed with user experience in mind.
- Leadership Engagement: Executive sponsorship is vital to underscore the strategic importance of HRM.
- Remembering the Human Touch: While technology is powerful, personal coaching and fostering a sense of shared responsibility remain indispensable.
The DEEP Framework
To structure this approach, a conceptual model like DEEP (Defend, Educate, Empower, Protect) proves incredibly valuable. Defend focuses on technical safeguards to minimise attack surface. Educate equips employees with the knowledge and skills to recognise threats. Empower cultivates a positive security culture and provides user-friendly tools that make secure choices intuitive. Finally, Protect involves robust response plans to limit the fallout from mistakes and feed insights back into the other pillars, creating a continuous loop of improvement.
Implementing HRM
Implementing such a comprehensive strategy requires an integrated HRM platform. This allows for the scale, data integration, and automation unachievable with fragmented solutions. Platforms like KnowBe4’s HRM+ are designed to operationalise the DEEP framework, leveraging AI for personalised training, advanced email security, automated incident response, and real-time coaching. A critical component is individual risk scoring, enabling targeted interventions and demonstrating measurable reductions in aggregate risk to stakeholders.
Human Risk Management as a Strategic Imperative
Managing human risk is no longer a soft skill or a secondary concern. In an era of AI-powered attacks and ever-increasing digital interaction, it’s a strategic necessity. By transforming the human element from a potential liability into a strong and reliable layer of defence, organisations can achieve true cyber resilience and tangible operational and financial returns.
