Human Behavior vs Human Risk
November 28, 2022
Human risk has become a hot topic in security awareness. As the industry evolves and as companies mature their security awareness programs, the job to be done (JTBD) of security awareness shifts from checking the box for an audit to reducing human risk. Their are now platforms that are “human risk platforms”.
But what is human risk?
When I search for “human risk”, the top definition from Google:
Human Risk encompasses loss to an organisation caused by human factors including the decisions and non-decisions, actions and non-actions of its people. "Loss" includes both financial and non-financial loss.
While Google ranks this #1, this definition is wrong in that “risk” does not equal “loss”. The idea of risk in the context of infosec is that risk can be managed and mitigated. The goal is not to manage or mitigate loss.
Instead, let’s replace what Google ranks and define human risk as the possibility or chance of loss to companies from human actions. Human risk, therefore, is all of the things your employees do every day - in SaaS apps, on their mobile devices, on zoom calls, etc. - that put your company - data, networks, secrets, assets, competitive advantage, etc. - at risk.
Human risk results from human behavior. While human risk can be a helpful metric to measure and track, human behavior needs to be the target of interventions if companies are going to reduce their overall risk profile (overall risk including all risk - human and non-human).
Accordion to Merriam Webster:
Risk: Possibility of loss or injury.
Behavior: the way in which something functions or operates.
While human risk is a step in the right direction for security awareness, it is still missing the crucial, human, element. Human behavior is what matters. We can measure and report on human risk all we want but, at the end of the day, the behavior of employees is what has to change.
Human risk is a lagging indicator of human behavior. In order to be proactive, we have to flip the concept of human risk and focus on human behavior first. We already know what human behaviors to target to reduce human risk. And it is not that long of a list, at least if you apply the 80/20 rule and focus on human behaviors.
The two human behaviors to focus on to reduce the risk to your company are:
Each of the above is more of a category of topics vs an individual topic. Social engineering is not simply phishing. It is understanding human manipulation and being vigilant across all apps and platforms. Passwords include basic good password hygiene as well as password managers and multi-factor authentication (MFA).
More is not better. Extending the list of topics that you cover in security awareness only waters down the messaging around the most important two topics listed above.
If it is this simple, why do security awareness vendors include so many topics and why do security awareness vendors differentiate on the size of their content libraries. One reason is that innovation in security awareness has been in content, not product or user experience. Creating new types of user experiences that focus on just the above 2 topics would greatly improve overall security for companies. Buyers are used to asking about content libraries and comparing the topics covered when they are deciding what solution to buy. This is a dated way to think about the value of security awareness.
Some employees are at higher risk than others. Targeting those higher risk employees is better than targeting all employees the same way. But, this is a second order problem. The first order problem to solve with security awareness is to improve the human behaviors that improve the overall security posture of a company.
Schedule a demo
Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.