Enhancing Security Consciousness and Education is a Process, Not a Final Result
In the ever-evolving landscape of cybersecurity, a significant shift is underway as organisations move from Security Awareness and Training (SA&T) to Human Risk Management (HRM). This transition signifies a departure from a compliance-focused, point-in-time approach to a more continuous, holistic, and behavioural understanding of human-related security risks.
### Key Differences Between SA&T and HRM
The contrast between the two approaches is stark, as shown in the table below:
| Aspect | Security Awareness & Training (SA&T) | Human Risk Management (HRM) | |----------------------------|----------------------------------------------------------------|--------------------------------------------------------------| | **Focus** | Delivering mandatory training sessions and quizzes, often driven by regulatory compliance (e.g., GDPR, HIPAA). | Ongoing, holistic assessment of human risk factors across time, behaviour, and context. | | **Approach** | Episodic training with static assessment, often leading to minimal engagement and false confidence. | Continuous monitoring and scoring of evolving individual risk exposure, integrating multiple behavioural metrics. | | **Outcome Measurement** | Pass/fail on training modules, snapshot phishing test results. | Composite risk scores reflecting real-time risk, incorporating engagement, behaviour patterns, exposure alerts, and culture. | | **Goal** | Regulatory compliance and basic user knowledge. | Empowering employees, fostering secure behaviour, and reducing actual human risk through a human-first, values-driven culture. | | **Scope** | Limited to awareness content and occasional testing. | Integrates training, real-time risk detection, policy alignment, and people empowerment aligned with organisational values. |
### Why the Shift?
The ineffectiveness of SA&T alone, limitations of point-in-time assessments, and the need for continuous risk awareness have led to the emergence of HRM. Research shows that mandatory training does not significantly reduce risky behaviours over time, and traditional training and testing reflect an employee's knowledge only at one moment, missing evolving risk factors.
HRM addresses these gaps by quantifying evolving risk exposure continuously, providing real-time insights to better identify and mitigate threats. Moreover, HRM recognises that technology and policies alone are insufficient without influencing human behaviour through trust, autonomy, fairness, and empowerment. Cybersecurity thus becomes integrated into people management and organisational culture, not a separate compliance function.
### How Organisations Adopt HRM to Improve Human-Related Security
1. **Integrating continuous risk measurement:** Organisations implement platforms that track various human risk signals—such as phishing response behaviour, dark web credential monitoring, and security culture surveys—to generate dynamic risk profiles for employees.
2. **Aligning cybersecurity with organisational values:** HRM emphasises embedding security into the broader people function by promoting values like trust and fairness, thereby motivating employees to engage genuinely with security practices.
3. **Moving beyond checkbox training:** Training becomes more interactive, engaging, and tailored to individual risk profiles, combined with real-time alerts and timely interventions to reduce exposure.
4. **Leveraging data-driven insights:** Automated reporting tools give managers visibility into who remains at risk, enabling targeted remediation and informed decision-making rather than broad, generic training.
5. **Fostering a culture of security:** HRM supports a culture where employees feel empowered, supported, and responsible for security, transforming them from potential weak points into frontline defenders.
In conclusion, the shift from SA&T to HRM means transitioning from a compliance-driven, episodic training model to a continuous, human-centred, data-informed strategy that manages evolving human risks actively and empowers people as key assets in cybersecurity defence. This approach better addresses the complexity and dynamic nature of human factors that contribute to security incidents.
In the medium term, the security function will redirect its focus toward human behaviour, risk, and culture, with HRM overcoming SA&T's shortcomings. Vendors are already incorporating HRM into their branding, and major SA&T events have been renamed to include HRM. As CISOs and their teams seek solutions to reduce reliance on humans for security, the idea of HRM became a reality in 2024. Forrester anticipates that in the short term, most organisations will continue to train while exploring the shift to HRM.
- The transition from Security Awareness and Training (SA&T) to Human Risk Management (HRM) in the domain of cybersecurity recognizes the shortcomings of traditional compliance-focused approaches and instead prioritizes continuous, holistic assessment of human-related security risks, particularly in relation to privacy concerns.
- In the ever-evolving technology landscape, Human Risk Management (HRM) is emerging as a critical component of a comprehensive cybersecurity strategy, as it moves beyond basic training to quantify and address the evolving risks posed by human behaviors, thus fostering a culture where employees are empowered and motivated to engage genuinely with security practices.
