What is Human Risk Management?
Human risk management (HRM) is a holistic approach to cyber security focused on first identifying, then quantifying, managing, and ultimately, reducing the human risk that organizations face. This human risk can exist from external sources, but the main focus of HRM is internal threats. HRM prioritizes identifying and then monitoring the behavior of the users that pose the most risk. Through this approach, security teams can prioritize the users who need the most training and monitoring, since security awareness programs can’t take a one-size-fits-all approach. HRM seeks to create a security-positive culture where safe behavior becomes second nature.
Understanding human risk
Human risk is defined as the potential for an individual’s actions to disrupt or cause harm to an organization, whether intentional or not, whether originating internally or externally. Also known as human error, human risk represents an area of renewed focus for a cyber security industry that continually works to stay ahead of adversaries. With broad attacks stopped more easily and frequently by AI-based security tools, cybercriminals have shifted focus to targeted attacks designed to take advantage of human error. Organizations must adapt to stop this growing human risk.
Why do organizations have to manage human risk?
Organizations must manage human risk in order to remain secure in the face of today’s cyberattacks which seek to target the most vulnerable employees within an organization – the ones for whom security awareness training has not been as effective – who are most likely to click unsafe links, download unsafe files, or fall victim to business email compromise.
Organizations that do not manage human risk leave themselves vulnerable to employee error, ethical issues, poor cyber security practices, and poor or ineffective cyber security training.
Why is Human Risk Management important for cyber security?
HRM seizes on the latest technology available in the cyber security industry. It focuses resources on the most vulnerable users that tend to cause the most security incidents. It allows organizations to make the most effective use of their security tools. HRM gives security teams the tools they need to measure, predict, and manage the risk presented by their users. With HRM, organizations can identify early indictors of compromise, future vulnerabilities, and risk outcomes.
Key components of an effective Human Risk Management program
Security awareness training
As organizations evolve their security awareness training strategy to consider all aspects of human risk, it is important to be aware that awareness training and human risk management are not in opposition to each other, but instead, are better together. Security awareness training focuses on what employees know about security – an important but incomplete piece of the equation. Human risk management fills in the gaps but provides an understanding about what employees do in relation to security – what good and bad security decisions do they regularly make? Are they repeat offenders? How frequently are they being attacked? What risk score should be assigned to this risky user? With this understanding, security practitioners are able to gain a picture of the distribution of risky employees across their organization. Analytics show that eight percent of users are causing 80 percent of incidents. Not all users are equal in their security awareness and the human risk they pose.
Policy implementation and enforcement
The development and enforcement of policies that guide acceptable behavior within the organization are an important part of HRM. This extends beyond security policies to encompass broader risk management and compliance considerations. Making employees aware of the organization’s security policies, how they are implemented, and how they are enforced is a good start to ensuring secure behavior. Coupled with security awareness training, this gives users a broad and effective understanding of what is expected of them when it comes to keeping their organizations secure.
Continuous monitoring and assessment
The HRM platform marks an important and eagerly anticipated milestone in advancement toward the next generation of cybersecurity. In response to customer and market demand for a more effective means of mitigating risk brought on by human error, the HRM platform will provide unprecedented visibility into an organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base. This is accomplished through continuous monitoring and assessment of employee behavior.
With an HRM platform, security teams can surface and centralize risk signals in the form of a human risk dashboard. This provides security teams with human risk scoring and visibility based on event data from both native metrics as well as data from third-party tools. A key function of the HRM platform and the human risk dashboard is to integrate findings into an organization’s security awareness training program. This redefines how security leaders can manage human risk.
Effective strategies for human risk mitigation
Conducting regular phishing simulations
Phishing simulation programs can help protect organizations from phishing attacks that could lead to costly data breaches or ransomware attacks. Phishing simulation programs can help understand how well-prepared organizations are to handle phishing attack attempts and give employees tactile experience that will prepare them to respond appropriately to any real-world phishing attacks.
During a simulated phishing attack, employees receive an email that closely mimics what they might see in a real phishing attack, but any mistakes or inaction will be inconsequential as the simulated phishing emails do not contain actual malware. The simulated phishing emails will, however, be able to track and record the actions and responses of employees, and this will help gauge how effective the training was, and which gaps still need to be filled in bolstering security awareness.
Implementing a zero trust security model
Rather than establish a security perimeter around a network and trust any user who can log into it, a zero-trust model assumes any user identity can be compromised. It uses multifactor authentication (MFA) to improve security beyond the username and password combination and applies a “least privilege” principle, giving the user the least access possible at every turn, and requiring additional validation before stepping up access privileges.
Zero trust security establishes trust every time a user tries to access an asset in the system by checking the asset against the user’s profile, the sensitivity of the asset being accessed and the context of the activity, such as the user’s location or electronic device, or whether that user’s job should even require that level of access. If the context cues don’t match, the user may be asked to revalidate their identity before proceeding.
Enhancing incident response protocols
An incident response plan outlines the actionable steps required to prepare for, respond to, and recover from a cyberattack. It can be a crucial differentiator in how organizations contains an attack, limit damage, respond to regulatory oversight, and ensure employee and customer trust. In terms of HRM, incident response protocols should reflect the knowledge about users that has been gained through monitoring and assessment.
Human Risk Management glossary (cheat sheet)
Early indicators of compromise |
Behaviors that can be identified early on when monitoring users that indicate which users are more likely to be susceptible to cyberattacks such as business email compromise, phishing, whaling, etc. |
Human Risk |
The potential for an individual’s actions, whether intentional or not, whether originating internally or externally, to disrupt or cause harm to an organization. |
Human Risk Management |
A holistic approach approach to cyber security focused on first identifying, then quantifying, managing, and ultimately, reducing the human risk that organizations face. |
Phishing |
A form of cybercrime where attackers dupe targets into revealing sensitive data such as bank account numbers, credit card information, login credentials, Social Security numbers, and other personally identifiable information. |
Security Awareness Training |
Teaches users how to protect their assets, data and financial resources, reducing the likelihood of security incidents and breaches. |
Zero Trust |
A security architecture model that calls for every user to be checked and validated against the access they are allowed in the system and the risk around the functions and data they are trying to access. |
Benefits of Human Risk Management
HRM is designed to prevent the evolving and sophisticated threats targeting human error within organizations. HRM offers preventative controls and the ability to take direct actions that mitigate the risk associated with human behavior such as clicking a link that downloads malware, opening malicious attachments, or visiting a website with malicious content. HRM marks an important and eagerly anticipated milestone in advancement toward the next generation of cybersecurity. Brought on by continued employee mistakes and user errors, HRM will provide unprecedented visibility into an organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base. With the visibility that HRM offers into an organization’s risk profile, security teams are able to protect their most vulnerable users.
How Mimecast can help you with Human Risk Management
Human risk management offers organizations the visibility and context they need to reduce their risk profiles and protect their users from sophisticated cyber threats. Mimecast’s connected HRM platform is designed to prevent the evolving and sophisticated threats targeting human error within organizations. Mimecast’s HRM platform offers preventative controls and the ability to take direct actions that mitigate risk. With this connected HRM platform, security teams will receive visibility into their organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base.
Future trends and predictions in Human Risk Management
HRM represents a major advancement for cyber security, and it is becoming an increasingly important component of many organizations’ security strategies. The trends in HRM reflect growing attention on human behavior in cyber security – in particular the ways in which human error is responsible for a significant number of cyber security incidents. Future trends include:
- AI and machine learning: Human risk management systems will increasingly incorporate artificial intelligence and machine learning, making it easier for organizations to identify patterns and predict future threats.
- Big data analytics: With the advent of big data analytics, organizations will be able to collect and analyze more data from multiple sources, improving their ability to detect human risk indicators.
- Effective risk governance: Organizations will increasingly adopt risk governance frameworks that integrate HRM into their broader cyber security strategy.
Human Risk Management FAQs
Why is Human Risk Management important?
Organizations are increasingly shifting their focus toward HRM. Human risk is one of the most serious threats facing organizations today. By prioritizing identifying, managing, and monitoring the riskiest users in their workforce, organizations can prevent insider threats before they arise and identify the riskiest users within their workforce.
How can we mitigate human risks?
Fostering a security-conscious culture is the most important step to mitigating human risk, as well as deploying a comprehensive human risk management solution that enables continuous monitoring and data analysis of user behavior so that security teams can identify which users are riskiest.
