Strategies To Fortify Your Organization’s Defense

Stu Sjouwerman is Founder and Executive Chairman of KnowBe4 Inc., a security awareness training and simulated phishing platform.

Sophisticated AI-fueled attacks are exploiting human weaknesses, compelling a shift towards managing human risk to bolster overall cybersecurity.

AI security systems are hardening organizations’ defenses, prompting attackers to shift their targets to humans through manipulative phishing and social engineering tactics. With 68% of all breaches involving humans and human mistakes accounting for 28% of breaches, no organization can ignore the human side of security.

Organizations are increasingly recognizing that technical controls, while important, cannot fully protect against malicious insiders or human errors. They require a human risk management strategy that considers the critical role of end-user behavior in sustaining an aggressive security posture.

What is human risk management?

Human risk management (HRM) controls and mitigates cybersecurity threats by and from humans through the evaluation of security behavior and the measurement of human risk. It triggers policy and training interventions in response to human risk, trains and empowers the workforce to defend themselves and their organization from cyberattacks and creates a supportive security culture.

The success of HRM rests on four pillars: identifying and assessing human-related cybersecurity risks within the organization; offering personalized, interactive and ongoing learning experiences for employees; deploying an HRM framework that leverages the power of AI and ML while being integrated with other cybersecurity systems; and continuous assessment and optimization of HRM strategies using data-driven insights and adaptive security controls.

Why the move to HRM now?

According to an IBM report, phishing, social engineering and insider threats comprise the greatest risk of data breaches. With the global data breach cost standing at $4.88 million in 2024, overlooking the human aspect is no longer an option for organizations.

The recent spurt of generative AI is exacerbating the issue as adversaries are leveraging it to create more authentic phishing emails and deepfakes, tricking employees into exposing confidential information. With malicious emails experiencing a 1265% rise in one year since the release of ChatGPT, organizations must continually train employees on how to identify and prevent such attacks.

While security awareness training (SAT) is highlighted for its role in establishing a security baseline through knowledge transfer, performing well in training and generating employee sensitivity towards security threats, it does so without the benefit of data-driven analysis. HRM fills the gap by providing a full picture of an organization’s human-related vulnerabilities, quantifying human risks, initiating policy and training interventions and building a positive security culture.

How can HRM be operationalized?

Organizations can consider these guiding principles for implementing an effective HRM strategy:

Take A Human-Centric Approach: Organizations must strive to understand not only human motivations, abilities and triggers but also social and personality factors to mitigate human-initiated security incidents. Security needs to be interactive and engaging so that employees find secure behavior the easy option.

Harness AI: With machine learning algorithms, organizations can identify anomalies and correlations that might go unnoticed by human analysts, supporting more precise human risk estimates. Generative AI may assist in providing personalized and relevant security recommendations for users through context-aware security training.

Leverage An Integrated System: Gathering data from various sources can be a step towards generating a holistic view of an organization’s human risk profile. An HRM framework must integrate with the rest of the organization’s technology stack to provide the necessary interventions to mitigate risk and share threat intelligence across security systems, delivering consistent user experiences across all channels.

Ensure Continuous Adaptation And Evolution: To remain effective against the most recent threats and trends, an organization’s HRM strategy must regularly update and transform with real-time information, training material and simulations, awareness campaigns and risk management measures. Adaptability to evolving work patterns and technologies used by employees and periodic optimization of quantifiable outcomes are essential.

Develop A Positive Security Culture: HRM’s greatest strength lies in its ability to understand employee motivations and shape the organization’s culture and mindset toward cybersecurity. A robust security culture can be developed through ongoing and personalized training, open communication, positive reinforcement and an environment for reporting and remediating vulnerabilities.

Is HRM meant to replace SAT?

SAT remains a core element of a balanced HRM program. Conventional SAT and phishing simulations, with their one-size-fits-all approach, have evolved to incorporate engagement-based metrics that integrate human risk into the overall cyber risk assessment. HRM leverages the organization’s comprehensive security stack to calculate a user risk score. This enables organizations to identify high-risk users, analyze their behavioral patterns and apply effective interventions. By moving the focus from awareness to quantifiable risk mitigation, organizations can positively influence employee security behavior and establish a culture that limits human-centric threats.

How do you assess HRM frameworks?

When assessing potential HRM frameworks, look for options that seamlessly integrate with the organization’s security stack to allow a proactive security approach. HRM should be able to ingest security alerts from integrated systems to measure and manage human-related cyber risks, provide real-time adaptive training interventions and deliver personalized and context-specific training and nudges to users. HRM is not a one-off implementation and should share insight on the threat landscape, providing constant guidance and support.

Human risk management extends beyond traditional security awareness training by focusing on the human aspect and transforming how organizations approach cybersecurity. With humans at the center of security strategies, organizations can better address the root causes of many security incidents, such as phishing attacks, social engineering and insider threats. AI-supported HRM enables companies to customize training interventions, build resilience and respond to changing threats.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?