What is human risk management?: HRM is defined as a cybersecurity strategy that identifies, measures, and reduces the risks caused by human behavior. Simply stated, security awareness training is about what employees know; HRM is about what they do (i.e., their actual cybersecurity behavior).To be more specific, HRM integrates into email security tools, web gateways, and identity and access management (IAM) systems to identify human vulnerabilities. Furthermore, it measures risk using behavioral data and pinpoints an organization’s riskiest users. HRM then seeks to mitigate these risks by applying targeted interventions such as micro-learning, simulations, or automated security controls. Finally, HRM monitors behavioral changes so organizations can track progress.There’s a misconception out there that HRM and SAT are different animals, so organizations interested in HRM must budget for both. Wrong. In fact, leading HRM solutions from vendors such as Fable Security, KnowBe4, and Mimecast offer HRM products chock full of standard SAT material. They even provide specific training support for regulatory compliance requirements.
Democratizing security training with AI: I know what you’re thinking. HRM sounds like the latest buzz term coined by the cybersecurity industry marketing glitterati. Yeah, kind of true, but generic HRM has an AI-based partner riding shotgun. And unlike general industry AI hype, there’s research and expert agreement that AI is well positioned to change education as we know it.In his book Co-Intelligence: Living and Working with AI, University of Pennsylvania professor Ethan Mollick suggests that AI will deliver personalized learning at scale where AI acts as a “Socratic tutor” that “nudges” students toward excellence, provides simulations and role plays, and offers persona-based learning. In an HRM context, a “nudge” can be thought of as continuous micro-learning. A user clicks on a malicious link and is guided toward an appropriate security lesson aimed at reinforcing good hygiene and behavior.Armed with AI, HRM will also understand habits and ways of learning. For example, Alice tends to learn best through written descriptions while Bob prefers watching videos. Leading HRM tools can also role play with users, gamifying cybersecurity training and playing on their competitive nature. Thus, HRM (with AI) has the potential to democratize expertise in a new and unique way.From an ROI perspective, HRM offers a much more granular approach to cyber-risk mitigation than standard SAT. CISOs and HR managers can report on improved cyber hygiene and behavior, rather than how many employees have been trained and past generic tests. Repeat offenders are not only identified but also provided with personalized training tools and attention. Ultimately, HRM makes it possible to show a direct correlation between training and a reduction in actual security incidents.To quote Aristotle, “We are what we repeatedly do. Excellence, then, is not an act, but a habit.” HRM is intended to personalize training to change behavior and habits. If Aristotle were a CISO, he’d surely see the logic in moving from generic SAT to HRM.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4123230/human-risk-management-cisos-solution-to-the-security-awareness-training-paradox.html
