Forrester predicts that 90% of data breaches will include the human element in 2024. Yet our efforts in understanding and managing this significant threat remain perfunctory, with one touted silver bullet: SA&T. This is a market that has grown exponentially, with some reports predicting a market worth $10 billion annually by 2027. Even with all this training and quizzing, human-related breaches are on the up.
For example, the FBI reported that losses to business defrauded by successful business email compromise attacks rose from $676 million in 2017 to $2.7 billion in 2022 — an almost tenfold increase in five years.
Why Now?
Simply put, with all that we know at Forrester after covering the discipline of awareness, behavior, and culture in depth for six years, it felt unconscionable to continue the status quo. Our report, The Future Of Security Awareness And Training: Disrupt The Status Quo By Moving To Adaptive Human Protection, examines the major expected changes in security awareness and training in the short, medium, and long term as follows:
- In the long term, adaptive human protection will create freedom for employees. We articulate that this future is realistically years (we estimated 6–10 years) in the future for most, so in the meanwhile, cue human risk management.
- The medium-term focus on human risk management will overcome SA&T’s shortcomings. Because of SA&T’s shortcomings, positively influencing employee security behavior and instilling a security culture will be driven by evidence-based human-risk management.
- The immediate term has us focusing on the methods by which we train people, rather than the outcomes. This satisfies regulatory requirements for security training but little else. We call this security awareness and training.
Ready for change
I won’t lie to you — much of the industry is still in the “immediate term.” Many of my 2023 inquiry and guidance sessions were along the lines of “We would like insights on the fundamentals of setting up awareness programs.” Yet they all ended up with a sophisticated discussion on the need to do better, and the questions quickly evolved. Many questions were driven by status quo dissatisfaction, a desire to do better, and change. In 2023, we saw human risk management moving from concept to reality:
- Frustrated CISOs and their teams wanted recommendations on “solutions that take away the reliance on humans in the decision-making,” “creating a step change in this space,” and “relatively unique offerings.”
- Vendors such as Cybsafe, Living Security, Elevate Security (now part of Mimecast), CultureAI, and many others now have human risk management in their branding.
- The SANS Institute’s previous awareness and training course is now called Managing Human Risk. SANS also renamed its annual security awareness summit to SANS Security Awareness: Managing Human Risk Summit 2024. Vendor events are also rife with the human risk terminology, such as Egress’ Human Risk Summit and Living Security’s Human Risk Management Conference.
- Living Security and Cybsafe released a compelling vendor agnostic maturity model, dubbed The Human Risk Management Maturity Model.
- Job descriptions found on job boards included senior-level positions with words such as people and culture, human risk management, cyber user behavior, and sociotechnical security in the title. Managing the human risk is no longer the domain of a junior or stand-alone person or function to tick a cybersecurity box.
Human Risk Management
This is not just a name change (aka mutton dressed as lamb)! It is a significant change of mindset, strategy, process, and technology about how we approach an old problem in a new world.
At Forrester, we define HRM solutions as:
Solutions that manage and reduce cybersecurity risks posed by and to humans through:
1) Detecting and measuring human security behaviors and quantifying the human risk.
2) Initiating policy and training interventions based on the human risk.
3) Educating and enabling the workforce to protect themselves and their organization against cyberattacks.
4) Building a positive security culture.
Satisfying requirements for security awareness training is a secondary use case for human risk management solutions while the focus stays on changing behaviors and promoting security culture.
Originally posted on Forrester.