I recently listened to a podcast where one of our industry peers boldly compared Human Risk Management to “putting lipstick on a pig” in the context of security awareness. After mulling over this statement for a few days, I must say that I’m having a hard time buying the metaphor, especially since I agree with the peer’s public view that if security awareness is your last line of defense, you are failing—or as he puts it, “you should be fired.”
In my view, Human Risk Management actually supports this latter stance. It integrates security awareness with other mitigation controls, making it just one small element in a much larger, comprehensive approach to reducing high-risk behaviors and reinforcing desired ones.
Starting with the initial steps of The Human Risk Management Cycle, you first identify and understand your organization’s groups and individuals, pinpointing the high-risk behaviors you want to change or the desired behaviors you want to strengthen. From there, you can identify solutions to facilitate behavior change or mitigate the risk of human behavior through people, processes, or technology.
What sets Human Risk Management apart is its comprehensive approach. Unlike Security Awareness, which focuses primarily on people, Human Risk Management encompasses a broader range of mitigation controls. It includes not just educational and awareness efforts but also integrates processes and technological measures to effectively manage and reduce human-related risks.
At this stage in The Human Risk Management Cycle, you might identify security awareness as one of many options to mitigate human risk. However, it’s also the point where you consider implementing technical controls, such as conditional risk-based access or measures to prevent adversary-in-the-middle (AiTM) attacks. This is because, despite the best security awareness training, some individuals will still fail to recognize a threat.
In the subsequent steps of The Human Risk Management Cycle, you develop and implement your selected mitigation strategies before the cycle starts anew.
In conclusion, while the comparison of Human Risk Management to “putting lipstick on a pig” may resonate with some, it overlooks the depth and complexity of truly effective security practices. Human Risk Management isn’t just about surface-level changes; it’s about embedding robust, multifaceted strategies into the core of organizational operations. By integrating security awareness with other controls, such as technological measures and process improvements, we can create a resilient security culture that addresses risks at every level. As we continue to evolve our strategies, it’s essential to recognize that human behavior is a critical factor in security. By leveraging a holistic approach, we can better mitigate risks, reinforce positive behaviors, and ultimately safeguard our organizations against the ever-evolving threat landscape.
