Select Page

Maturing SA&T programs into human risk management strategies: The why, the how, and the expert wisdom

CYBSAFE-SebDB Webinar-preblog-221011MS-36

4 November 2024

You know that feeling when something can’t keep up with the pace of modern life? That’s exactly where we are with traditional Security Awareness & Training (SA&T). It’s outdated, clunky, and struggling to stay relevant.

Human risk management (HRM), on the other hand, has been gaining serious traction for years. Now, it’s finally getting the level of recognition it truly deserves. That’s because in early 2024 analyst giant Forrester acknowledged HRM’s growing importance

And it didn’t stop there. Forrester has now gone all in, identifying the leaders of HRM. (Spoiler: In the leader bracket? Hi, it’s us.)

And leading that charge is Jinan Budge, Forrester’s VP and Principal Analyst. Jinan’s been merrily steeping in the cybersecurity world for over two decades and knows the landscape like the back of her hand.

In a recent CybSafe webinar, Jinan and CybSafe’s CEO, Oz Alashe, broke it all down: 

  • Why SA&T falls short (and has been for years)
  • How HRM is different
  • How to begin the shift from SA&T to HRM in your organization

But before we get into the nuts and bolts, let’s set the scene—because understanding the full picture is vital to appreciating HRM’s impact.

The tunnel vision on training

When it comes to cybersecurity, many organizations have long been plagued by a kind of tunnel vision—focusing almost exclusively on training as the silver bullet for managing human risk.

It’s the idea that more training will magically solve every security issue ever and usher you into some sort of cyber utopia, if some of the more “evangelical” SA&T vendors are to be believed.

But it doesn’t do any of that. Indeed, this narrow focus is causing more harm than good. It ignores the broader, more dynamic (and yes, more complex) picture of human behavior and risk.

It’s about so much more than awareness.

As Jinan pointed out in the webinar, when she looked at around 45 regulations and frameworks, “not once were the words ‘behavior’ or ‘culture’ mentioned.” 

“Someone said to me the other day, ‘We all know that the more we train people the safer their behavior is.’ I’m like, ‘Do we?’”

The assumption has been if we just keep educating people—keep pushing out more training content—everything will fall into place. But that approach has led to fatigue, disinterest, and ultimately, a failure to tackle the root causes.

Stuck on repeat

This tunnel vision has left organizations stuck in a cycle of repetitive training exercises that don’t drive real behavior change. As Jinan explained, “The reality is, training has been long, boring, and irrelevant to people—we know this.” She also blames a “one-size-fits-all mentality” which fails to focus on what really matters—understanding human risk.

The reality is, training has been long, boring, and irrelevant to people—we know this.” — Jinan Budge

Oz is on the same page: “The approach that security awareness has traditionally taken is that we need to educate people, and if we can teach people, they will behave better,” he says.

But what may have worked decades ago can’t keep up with today’s rapidly shifting terrain.

What works now is stopping seeing people as problems to be fixed and start managing the risks they face. “We’re moving away from the place of calling people the weakest link or even the human firewall… to a place where people are just people and they’ve got a job to do,” Jinan says.

“We’re moving away from the place of calling people the weakest link or even the human firewall… to a place where people are just people, and they’ve got a job to do.” — Jinan Budge

The fixation on SA&T has kept security teams from seeing the bigger picture—one where human behavior is nuanced, and where managing risk effectively requires more than just ticking boxes on a training completion chart.

Instead, what if organizations embraced a broader focus, if they looked beyond training and started tackling human risk in a way that’s proactive, targeted, and meaningful?

HRM is here to help organizations do just that. HRM is all about managing risk proactively and intelligently, rather than relying on blanket training. 

But first we need to zoom in on exactly why SA&T’s retirement’s long overdue.

Why SA&T isn’t working anymore

For some of you, this might be old news—maybe you’ve even been riding the HRM wave for a while. For others, this might be your wake-up call. Either way, it pays to visit the problems with SA&T.

Understanding why SA&T falls short and why HRM is rising is crucial to future-proofing your security strategy. Here are three key reasons that Jinan and Oz touched on in the webinar:

1) It’s stuck in the past

“In security awareness and training, there’s been almost no disruption since the beginning of time.” — Jinan Budge

Let’s face it, SA&T has been on autopilot for far too long. It’s been doing the same thing for decades, and the world has moved on. 

Jinan doesn’t mince her words on this front: “In security awareness and training, there’s been almost no disruption since the beginning of time.” Ouch!

That’s a brutal assessment, but it’s also entirely accurate. See, the same tired training modules and phishing simulations have been trotted out year after year. People aren’t actually learning anything meaningful from it—but more to the point it isn’t changing their behavior.

2) One-size-fits none

Treating everyone the same is a good thing in many contexts. But in traditional SA&T it’s precisely why it fails. 

Security training, in its current form, doesn’t account for individual differences in risk exposure or behavior. Someone who deals with sensitive client data has a totally different risk profile to someone who handles meeting room bookings.

Jinan explains it best: “In the future we’re going to a place where training, if it occurs at all, is going to be very limited… and it’s not going to be based on factors such as time or how much a person knows about security, or what role they’re in. It’s going to be based on the human risk—the risk that the person is exposed to and that they are exposing the organization to.” 

“[Future interventions are] going to be based on the human risk—the risk that the person is exposed to and that they are exposing the organization to.” — Jinan Budge

The status quo is mass training. The future needs to be all about targeted interventions that actually make a difference.

3) It’s burdensome

Here’s the real kicker: SA&T is so focused on teaching what to do that it completely misses the point of why it matters: Behavior. Security behaviors, to be exact. Awareness alone doesn’t change risk. Safe behavior does.

Jinan tells it like it is, urging for a move “away from the place where security is everyone’s responsibility… to a place where actually it’s not—people can just go about and do their job.”

The idea isn’t to burden people with responsibility for the entire company’s security. It’s like expecting everyone in the company to be an IT specialist—ridiculous, right? Yet it’s a popular approach.

The key is to manage their behavior within their roles and the risks they face. To understand how people behave and guide them in the right direction. That’s HRM.

What’s so different about HRM, then?

It’s simple.

HRM is behavior-based, proactive, and all about outcomes. Let’s break that down.

1) Proactive (not reactive)

SA&T is all about reacting to issues after they happen. 

HRM, on the other hand, is like your proactive friend who reminds you to back up your data before your laptop crashes. 

Forget how much someone knows or how much training they’ve completed. Focus on stopping problems before they start.

In the HRM world, you don’t wait for a crisis. You identify risky behavior early and step in before it turns into a full-blown security issue. 

It’s the difference between patching a leak and redesigning the system so it doesn’t leak in the first place.

2) The right intervention at the right time

Interventions need nuance, Jinan explains. “It’s not just based on a particular quiz score,” she says. “It’s their actual behaviors, the threats that they’re susceptible to.” You’re not dumping a pile of information on people and hoping some of it sticks—you’re delivering exactly what they need, when they need it.

“[Interventions are] not just based on a particular quiz score…It’s their actual behaviors, the threats that they’re susceptible to.”

Picture this: instead of giving everyone a lecture on two-factor authentication, you focus on the people who are struggling to adopt it. Tailored training, nudges, or even just a simple tech fix—you make sure the right people get the right interventions at the right time. That’s HRM.

As Jinan put it: “The whole blanket approach just doesn’t work. It’s wasteful of resources—the employees’ time as well as ours…We are moving to a place where security adapts its processes and technologies to protect the people.”​ 

“We are moving to a place where security adapts its processes and technologies to protect the people.” — Jinan Budge

3) Focussed on outcomes (not activities)

HRM is laser-focused on results, not activities. If it doesn’t reduce risk, it’s not part of the program. 

SA&T has been doing security teams a disservice by focusing on knowledge only, Oz points out: “If we stay focused on a belief that the role of security awareness is to make people aware, we miss the opportunity to focus on outcomes.”

“If we stay focused on a belief that the role of security awareness is to make people aware, we miss the opportunity to focus on outcomes.” — Oz Alashe

HRM is about real, measurable results… We’re measuring behaviors and seeing if they actually change. It’s a no-nonsense approach: did the behavior change? If not, try something else. No more running activities for the sake of it.

And this is where the magic happens. HRM measures success not by how many people completed training, but by how many people stopped clicking on dodgy links or adopted better password habits. It’s about behaviors that matter and have real security impacts.

So yeah, like we said, HRM is behavior-based, proactive, and all about outcomes. 

That’s why it’s different from (and better than) SA&T. That’s why you’re probably wondering…

How do I get started with HRM?

So you’re ready to manage human risk in a proactive, behavior-driven way that actually works. Good news: shifting to HRM it’s easier than you think, and the first step’s not scary at all, in fact.

Jinan drops some serious wisdom on how to get started: “We find one of the easiest places to start is getting clear on: What does high risk mean to us in the context of our people? Because it will be slightly different for every organization. And then of course how do we measure whether we’re having any impact on that risk or indeed on those outcomes?

“We find one of the easiest places to start is getting clear on: What does high risk mean to us in the context of our people?” — Jinan Budge

From this, you can start to tailor your interventions—whether that’s a conversation, some tech fixes, or just a friendly nudge in the right direction.

But there’s so much more wisdom ripe for the picking. If you want to take your security program full beast mode and fully harness HRM, start by catching the whole webinar right now.

‘Oh, Behave! Cyber Behaviors and Attitudes Report 2024’ Webinar
Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like

Maximizing security awareness engagement: How the pros do it

Maximizing security awareness engagement: How the pros do it

Ditch mandatory training, starting riiiight…now!Want to boost security awareness? Talk about something else entirelyGet serious about funThe top mic-drop insights from our Cybersecurity Awareness Month engagement webinar We know people whose organizations make a big deal of CAM are much more...