Managing Human Risk Requires More Than Awareness Training

Chris Madeksho
Author: Chris Madeksho, CISA, CRISC, SSAP
Date Published: 18 July 2023

Managing human risk is an essential aspect of any cyberrisk management program. In this era of cyberthreats, organizations must increase and prioritize their efforts to protect themselves from cyberattacks. While most organizations focus on leveraging the latest technology to enforce their security measures, a comprehensive information security awareness program must be in place to ensure that employees are aware of and educated about the threats they may encounter at the workplace. According to a 2023 report, 74% of all breaches involved humans, whether in the form of malicious intent or negligence, making people the most significant cause of cyberbreaches.1 While this is 8 percent lower than in 2022, humans still pose a high risk to an organization’s data. Hence, organizations must treat human risk in the same manner as any other identified risk, by developing a mitigation plan to reduce risk to an acceptable level based on the organization’s risk tolerance.

Conducting a Risk Assessment

The first step in managing human risk is to conduct a risk assessment to identify the risk factors most critical to the organization. Sound familiar? To be successful, a risk analyst must assess the likelihood of a vulnerability being exploited and the impact that would occur because of the event. To find these threat sources, the security operations team should be engaged to uncover documentation regarding cyberincidents, threat intelligence and mitigation plans from past audits. The security operations team also tests users on the likelihood of penetration, for example, through phishing simulation exercises. Once an assessor has this information, they can build a risk register to prioritize the highest risk factors.

Any educator knows that it is not possible to teach someone everything that they need to know and expect them to retain all the information. After conducting a risk assessment, critical risk can be targeted and mitigated with awareness and education. For example, employees in an organization should be made aware of the risk associated with phishing attacks or identity theft efforts that engage employees through attack vectors such as emails, texts or phone calls They should be taught how to identify suspicious emails and links and to not disclose sensitive information in an email or over the phone. But making an employee aware of a threat is only the first step in protecting them and their organization.

Conducting a cybersecurity awareness program should not be treated as a one-time event. Annual compliance training is not enough to continually reinforce the practices needed for good cyberhygiene. Employees need actionable items to understand how to respond when faced with a threat. Enterprises should consider how they can go beyond an awareness program to achieve a preparedness program. For example, organizations can conduct quarterly or biannual training refreshers and provide cybersecurity learning opportunities in the forms of webinars or elearning modules.

Repeated risk assessments show how certain critical risk factors have been mitigated to an acceptable level, while others have risen in significance, based on new threats. The long-term mitigation of human security risk transforms the security culture of the organization.

Fostering a Security Culture

Mitigation plans for reducing human risk should also focus on fostering a security culture within the organization. It is essential to emphasize that cybersecurity is not the job of only the IT department or the cybersecurity team, but rather, it is the responsibility of every individual to work toward keeping the organization secure. Cultural change requires sustained effort, and it takes time to see results.

To create a culture of security, it is important to encourage employees to speak out when they see risky cyberactivity and commend them for asking questions when in doubt. The organization can also acknowledge individuals who implement secure practices and create a rewards system to incentivize good security behavior.

It is important to encourage employees to speak out when they see risky cyberactivity and commend them for asking questions when in doubt.

Examining Employee Behavior

Another key aspect of managing human risk is to track employee activities. While it is essential to foster trust with employees, it is also necessary to have measures in place to detect mistakes or malicious employee behavior. Employee monitoring software can track this behavior and alert the IT team to suspicious or risky activity, such as data leakage. Periodic IT assessments or audits of employee activity help identify potential security gaps or weak points. These should be addressed proactively, as with any other type of risk.

Investing Time, Talent and Treasure

An information security preparedness program needs time, talent and treasure to be successful. Dedicated resources require time to develop, execute and sustain the program long-term. Talent requirements include those who understands risk, can communicate effectively with different levels of the organization, and can develop material both relevant to the risk identified and to the enterprise’s mission and goals. Finally, a good program cannot flourish without funding. While some great and diverse materials are available for free, a comprehensive program targeting critical risk requires a budget. Understanding the most significant human risk factors can help develop a compelling business case that outlines the need for, and benefits, of funding.

Conclusion

If an organization makes risk-based business decisions, it cannot discount human risk. Humans are the primary attack vector. Technology should be used appropriately to identify, detect and prevent security incidents, but training the people being preyed upon is perhaps the best defense against cyberevents. By conducting risk assessments, developing a positive security culture, being aware of employee activity and properly managing resources, organizations can reduce the human risk factor and keep sensitive information secure.

Endnotes

1 Verizon, 2023 Data Breach Investigations Report, USA, 2023

Editor’s Note

Hear more about what the author has to say on this topic by listening to the “Managing Human Risk Requires More Than Just Awareness Training” episode of the ISACA® Podcast.

Chris Madeksho, CISA, CRISC, SSAP

Is a cybersecurity analyst with the governance, risk and compliance (GRC) team at the University of Tennessee (Memphis, Tennessee, USA) Health Science Center. She works in the areas of risk management, policy management, and security awareness and outreach. Her career has spanned the travel, pharmaceutical and higher education industries.