The Future of Security Awareness: Integrating Human Risk and Security Awareness

There has been an old but well-known saying: “humans are the weakest part of your network.”

While there’s some truth to this, in 2024 it was stated by Mimecast’s Masha Sedova that their investigations into their data sets were showing that 8% of employees were responsible for 80% of security breaches.

It’s time to review our opinion on individuals in the context of information security. With the right training, resources, and strategies, individuals can actually become the strongest line of defence for any organisation.

Key Takeaways

• Human Risk Management (HRM) reframes employees as your strongest defence, not the weakest link, by addressing behaviour, bias, and culture in cybersecurity strategy.
• 8% of employees are responsible for 80% of breaches — highlighting the urgent need for targeted, behaviour-focused training.
• HRM combines behavioural science, risk assessment, and psychological insight to help reduce security incidents caused by human error or pressure.
• Training must shift from one-size-fits-all to tailored, role-specific education, supported by simulations, feedback loops, and positive reinforcement.
• The B=MAT model (Behaviour = Motivation + Ability + Trigger) can be applied to influence secure behaviours and embed security culture at every level.

Current Security Awareness

For years, information security awareness training has been treated like a box to check off, similar to health and safety training. Employees often see it as just another task to complete, regardless of whether they truly grasp or engage with the material. Many are too busy, facing tight deadlines, or simply uninterested in a training program that feels irrelevant to their daily work.

How often have you noticed employees tuning out when cyber security is mentioned?

But it doesn’t have to be this way. Information security awareness can be engaging and vital to an organisation’s risk management strategy. To achieve this, we need to move beyond traditional training methods.

Organisations should look to implement a framework and strategy which leverages varied learning formats; from newsletters and posters to interactive simulations and gamified experiences. Organisations should  embrace a concept, that has been growing over the last few years, known as human risk management.

What is Human Risk Management (HRM)?

Human Risk Management (HRM) offers a new perspective on the role of human behaviour within organisations. Rather than focusing solely on technology and operational risks, HRM emphasises understanding human actions and the risks they bring. By incorporating psychological insights and risk management practices, HRM enables organisations to transform their workforce from a potential vulnerability into a formidable defence.

Research consistently shows that human error is a significant factor in security breaches. Yet, human behaviour is often overlooked in risk assessments and security planning, normally this is covered in a “catch all” statement.

HRM fills this gap by acknowledging that human behaviour, biases, decision-making processes, and the organisational culture all play crucial roles in shaping the maturity of the security posture.

Key Elements of Human Risk Management

To create an effective HRM strategy, it’s essential to grasp the key factors that influence human behaviour and their impact on organisational security. Let’s explore these areas and how they can enhance your security practices.

Understanding Human Behaviour: The Core of HRM

Grasping human behaviour is fundamental to HRM. You don’t have to become a phycologist or clairvoyant, but having an understanding that each person in an organisation perceives and manages risks differently is very powerful. This behaviour is influenced by personal biases, experiences, and the organisational culture. Behavioural science is vital for analysing and predicting these responses.

An example of this is cognitive biases; like overconfidence or the tendency to overlook minor risks, this can lead to poor decisions and security breaches. Through understanding and implementing HRM strategies to identify these biases, organisations can implement safeguards to mitigate their effects.

Guidance

Behavioural Training:

Shift from compliance-focused training to programs that highlight common psychological biases and demonstrate how they can inadvertently expose the organisation to risk.

Simulation Learning:

Use realistic scenarios to help employees recognise and respond to security threats in real time, allowing them to practice what they’ve learned in a safe environment.

Formalisation of processes and procedures:

Having clearly defined and documented processes, procedures, and checklists outlines how tasks should be performed and assists employees in ensuring they are executing their responsibilities correctly. If employees are deviating from the documentation, it is essential to review the processes for potential inefficiencies and errors.

Spotting Human Vulnerabilities

Many organisations have considered the human element when performing risk assessments. However, this is not always recorded and is commonly related to a technical or operational control or system.

HRM advances the assessment of human related vulnerabilities. Traditional risk management typically focuses on the risks associated with straightforward errors, such as clicking on a phishing email. However, it often overlooks more human centric vulnerabilities, such as the tendency to ignore security protocols when under pressure.

Once these vulnerabilities are identified, HRM strategies can be developed to address the associated risks.

Guidance

Regular Risk Reviews:

Conduct reviews to evaluate human risk factors, such as compliance with security protocols and common security mistakes. This helps pinpoint areas needing training or policy updates.

Employee Involvement:

Encourage employees to report any potential vulnerabilities they observe in the workplace or their departments. By fostering a proactive culture of risk identification and recognising individuals for their contributions to this process, overall security can be matured.

Management understanding:

The pace of business is accelerating rapidly, which will heighten the demand for quicker task completion. It is crucial for managers and team leaders to recognise that exerting pressure on teams can increase the risk of errors, potentially resulting in security breaches.

Managing Human Error

Errors are inevitable; however, it is essential to analyse and understand the root causes to prevent future occurrences. It is important to shift the focus away from assigning blame to individuals and instead concentrate on the processes and other factors that may influence behaviour.

Guidance

Root Cause Analysis:

It is important to concentrate on the factors and triggers that prompted the behaviour. Utilising tools such as lessons learned sessions and post-mortem reviews can help identify the underlying reasons for human errors, whether they arise from process deficiencies, insufficient training, or elevated stress levels.

Implement Corrective Actions:

Once errors are identified, take corrective measures, which could include process changes, providing additional training, increasing resources or other controls to reduce stress, or implementing technical controls.

Build Resilience and Adaptability Through Continuous Learning

HRM also fosters organisational resilience through adaptability. In the modern business landscape where security threats are constantly evolving, organisations must ensure their employees can quickly adapt and identify new risks.

Guidance

Cultivate a Learning Culture:

Invest in continuous security education that adapts to emerging threats, encouraging employees to consistently enhance their skills, knowledge, and understanding.

Transition from a one-size-fits-all approach to information security training and implement tailored training that addresses the specific risks associated with individuals, teams, and departments.

Create Adaptable Security Practices:

Develop security protocols that can be swiftly reviewed and adapted in response to newly developed and used threats, tactics, and practises (TTPs). Organisations can further enhance these by allowing team members to engage with developing practises that directly affect their daily tasks and empowering them to suggest changes and provide feedback.

Influencing Human Behaviour: The B=MAT Model

A key principle of HRM is understanding how to influence human behaviour to improve security. The Fogg Behaviour Model (B=MAT) is a behaviour model for persuasive design. Research by BJ Fogg outlines a straightforward equation that can help organisations shape behaviour.

According to this model, behaviour is a product of three factors:

Motivation: The desire to act

Ability: The capability to act

Trigger/Prompt: The trigger or prompt that initiates action

While organisations can’t directly control individual behaviour, they can influence the factors that lead to desired actions. By addressing motivation, ability, and triggers, organisations can create a more secure environment.

Motivation: Fostering a Security Culture and the why

Motivation is a large complex part of behaviour, one which I can only scratch the surface on, so please do head out and look more into this topic.

Although employees need to be motivated, in someway, to care about security and more specifically the security of your organisation’s information, this goes beyond mere compliance. It’s about helping them understand how their actions impact the organisation, their colleagues, and themselves.

It’s essential to ensure that the message is both personable and aligned with the organisation’s culture. While many employees may not feel directly motivated by the organisation experiencing a breach, the potential implications of redundancies or other negative effects on their colleagues or customers can change the narrative significantly.

Guidance

Clear Communication:

Regularly emphasise the importance of security and how each person contributes to protecting the organisation. Recognise and reward employees who demonstrate good security practices.

Personal Impact:

Ensure that employees see how their actions following security controls affects their own work, their team, and job satisfaction making it more relatable and less abstract.

Ability: Arming Employees with Skills

Employees must feel confident and capable of handling security threats. This means providing them with the right tools, training, and resources. By providing these resources to employees and ensuring their actions are adequately supported, we can empower them to engage in more security-focused behaviours.

This is not just a measure of an individual’s ability and capability to perform actions and duties, but also a measure of how complex these actions and process are to perform.  How many times have you said or heard “water follows the path of least resistance” when talking about information security?

Guidance

Tailored Training:

Offer engaging training specific to each employee’s role and the risks they face. For example, finance teams may need extra training on identifying phishing attempts related to financial scams.

Inform your employees:

Ensure that security measures, such as multi-factor authentication and secure file sharing, are user-friendly and easily understood. Ensure that individuals understand the “why” of the security controls and how it affects them within their daily tasks and lives.

Enable your Employees:

Ensure that security and risk controls do not increase the time or actions required to perform daily tasks. Security is frequently perceived as an impediment or as an added layer of complexity.

However, by collaborating with teams and gaining an understanding of their procedures, processes, and challenges, security measures can be designed to empower teams and departments, allowing them to operate effectively while ensuring that security controls remain seamlessly integrated.

Trigger: Minimise Negative Security Cues

Triggers are cues that encourage individuals to take action. For example, a pop-up warning regarding a potential phishing email can be beneficial; however, negative triggers, such as excessive security alerts, may lead to frustration or alert fatigue, prompting employees to disregard these warnings.

Additionally, triggers are not solely technical in nature. For example, if employees perceive that a security control impedes their productivity and discover a workaround, they are likely to utilise that alternative to enhance their efficiency.

Guidance

Positive Reinforcement:

Utilise positive triggers to encourage desired behaviours. It’s important not to assume that employees recognise their successful performance; therefore, acknowledging and commending their efforts is essential.

This recognition may vary among individuals based on their motivations; some may be driven by financial incentives (this only works if it is in proportion to the desired action), others by work/life balance benefits, and some by public acknowledgment. An important consideration is that whatever the acknowledgment is, it needs to be actioned soon after the desired behaviour has been performed to be related.

Final Thoughts

Human Risk Management is a move towards a new paradigm of security training. It offers a fresh perspective on managing the information security cultures of organisations. Through increasing the understanding of human behaviour, assessing human specific risks, and implementing strategies to manage human error, organisations can evolve and empower their employees into their greatest security asset.

Through implementing Human Risk Management strategies organisations can become more resilient and adaptable. Building on this organisations will be further prepared to face evolving security challenges and ultimately fostering a stronger, more secure business environment and culture.

If you want to explore this topic further and evolve your information security awareness training and culture. Contact our consultants for a confidential discussion about your organisation’s specific challenges and objectives.

Drew Heron, Information Security Consultant at DigitalXRAID, is an experienced GRC Specialist, who excels in maintaining Information Security Management Systems (ISMS) and overseeing various cybersecurity governance and risk functions.