Long live human risk management, and behavioural security. 😉

By @Oz Alashe. (Last updated Oct 2021)

A provocative title and one which'll have many security awareness practitioners frowning.👆🏽 However, read on to find out how the ‘security awareness’ space is changing and the industry is being disrupted. And then make your own mind up.

Security: People, Process, Technology.

Society and commerce are becoming increasingly digital. Most organisations have realised they must take security seriously.

With this comes a reinforcement of a widely accepted notion: Security can be addressed by considering People, Process and Technology.

It’s not surprising to see people listed.

In almost every security breach we read about, and in most of the latest security reports listing the causes of cyber incidents, human risk appears near the top of the list.

By human risk we mean cyber risks involving people, like people being targeted by cyber attackers. Or human errors and mistakes, like using ‘cc’ instead of ‘bcc’ in email.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/25bba718-f49a-4d60-ba94-d66600545bfb/all_power_to_all_people.gif

There’s growing recognition technical cyber security measures don’t exist in a vacuum. They need to operate in harmony with people. This is why people are a key part of any comprehensive security strategy.

What we’re describing isn’t just common sense. It’s actually, at least in part, often a compliance requirement.

Controls to reduce human risk are stipulated by well-regarded security frameworks like NIST, ISO27001, and Cyber Essentials. These are industry regulatory requirements that many organisations are subject to. And they cite measures for human risk reduction, albeit they could be accused of glossing over the issue and encouraging box-ticking rather than meaningful impact.

Everyone accepts people are an important part of the strategy. So why do some organisations only pay lip service?