Separating Hype from Reality in HRM 

Human risk management (HRM) has become a more established category in recent years. This development signals a crucial shift towards enabling security teams to accurately quantify and manage workplace risks. 

With the rise of HRM, a variety of new technologies have also emerged on the market. However, how do you navigate the sea of buzzwords and shiny promises to pick the solution that's right for you? 

It often goes without saying, but it's crucial to focus on solutions that offer tangible value and proven results rather than getting caught up in hype. 

What is the hype? 

Human risk needs to be taken seriously, and security teams know that. Our recent research revealed that 79% of organisations had a human-related data breach in the last 12 months, while 34% had multiple breaches. It’s an issue that isn’t going anywhere, and up until recently the only method for tackling this risk was security awareness and training (SA&T). 

We need a change in approach. This has led to Gartner forecasting that 80% of enterprises will have a formally defined and staffed human risk management programme, up from 20% in 2022. While by 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices. 

This shift is part of a broader hype cycle where new trends gain rapid attention but require time to mature. In this phase, some vendors may look to pivot or rebrand to meet perceived demand, often adopting buzzwords to capture attention.  

Yet, the question remains: are they delivering the real deal? It’s crucial to discern whether you’re engaging with someone who genuinely understands the intent behind human risk management or just following the latest trend. As the hype cycle progresses, the challenge is to identify solutions with proven efficacy, rather than falling for empty promises. 

What is the reality? 

The surge in vendors promoting the human risk management message has been significant. This trend has created a crowded marketplace where distinguishing genuine HRM solutions from rebranded offerings is increasingly challenging. 

A true HRM platform should go beyond just providing more training. It should offer a comprehensive approach to managing human risk that encompasses assessment, prevention, and response strategies. Training alone is insufficient to address the complexities of human-related risks in the workplace, as it often fails to account for the dynamic nature of human behaviour and evolving threat landscapes. 

Also, many organisations are not setting the right objectives when implementing HRM programmes. They may focus too heavily on compliance or metrics that don't translate to real-world effectiveness. It's crucial for security teams to establish clear, outcome-driven objectives that align with their risk landscape and business goals. 

Proper evaluation of HRM programmes is also often overlooked, so it can be hard to understand their true impact. Organisations should implement robust evaluation frameworks that measure the effectiveness of their HRM initiatives, identifying areas for improvement and ensuring resources are allocated effectively. 

What is Human Risk Management, really? 

HRM is often conflated with SA&T, but when it comes to the intent and impact behind each, there are stark differences. While SA&T has traditionally been compliance-driven, HRM focuses on a broader risk landscape.  

Crucially, HRM is a mindset and an approach dedicated to identifying and addressing the risks caused by and posed to humans. It prioritises evaluating, understanding, and resolving these risks, recognising that while some risks may be tolerable, others will not be. Unlike output-focused strategies, HRM concentrates on outcomes, ensuring effective risk management.  

Effective HRM platforms can be invaluable tools, correlating data from your tech stacks to streamline operations and automate responses, ultimately enhancing team efficiency. The buzz around these platforms largely arises from their ability to seamlessly integrate with existing security frameworks, offering a sophisticated approach to risk management. However, you must tread carefully to ensure you're not buying into a shiny new concept without substance.  

What to look out for in Human Risk Management strategies?

For those looking to implement or refine their human risk management strategies, here are some things to consider: 

Monitor: Do you have a comprehensive, real-time view of workforce risks beyond phishing? You should be looking to get visibility of risks related to SaaS apps, generative AI, and instant messenger tools, and more. Remember, you can't manage what you can't measure. You should aim to use advanced analytics and monitoring tools to gain a full understanding of your risk landscape. 

Reduce: Are you providing targeted coaching to your most at-risk employees? Can you see a measurable reduction in risk-causing behaviours? If not, ensure you have an escalation process in place. The goal is not to punish employees but to create an environment where mistakes are less likely to occur and are more readily identified and corrected. 

Fix: Once you have identified your risks, do you have the tools to mitigate them? It's essential to address these issues proactively rather than reactively. Are you fixing the 'leaky tap' by implementing long-term solutions that prevent recurrence?  

Evaluating success in Human Risk Management 

To effectively measure the success of human risk management, avoid focusing solely on completion or engagement rates. The goal is to reduce risks and shorten the Mean Time To Resolve (MTTR) where risks are present. 

Reducing mistakes:  

While targeted coaching can minimise the number of mistakes by addressing knowledge gaps, it is unrealistic to expect complete expertise. Aiming for a lower baseline of errors is a more practical marker of success. Regular feedback sessions and continuous learning opportunities can further solidify understanding and performance. 

Reducing slips and lapses:  

Even the most well-trained employees can experience slips or lapses in judgment. To counter this, building more resilient systems with validations in known risk areas is essential. A data-driven HRM platform should nudge employees to confirm their actions at points of risk, ensuring a double-check mechanism is in place. Success in this area is measured by a reduction in the MTTR. 

Reducing violations:  

Figuring out why and where security protocols are bypassed is key to improving processes and systems. By gaining visibility into these areas, you can implement targeted interventions to prevent future violations. Success means fewer violations and stronger adherence to security measures. Regular audits and a solid reporting system can help keep this focus, offering ongoing insights into areas for improvement.