I am starting my third Forrester Wave™ evaluation for the market that used to be called the security awareness and training (SA&T) market. We’ve been calling it human risk management when advising clients the last few years but finally reached the decision to formally retire the SA&T nomenclature.
This blog explains why we (and the whole industry) are making the change from SA&T to human risk management; defines human risk management; and adds color about the complexity and opportunity of rejecting the status quo and evolving our ways of thinking.
Why The Change?
Forrester predicts that 90% of data breaches will include the human element in 2024. Yet our efforts in understanding and managing this significant threat remain perfunctory, with one touted silver bullet: SA&T. This is a market that has grown exponentially, with some reports predicting a market worth $10 billion annually by 2027. Even with all this training and quizzing, human-related breaches are on the up. For example, the FBI reported that losses to business defrauded by successful business email compromise attacks rose from $676 million in 2017 to $2.7 billion in 2022 — an almost tenfold increase in five years.
Why Now?
Simply put, with all that we know at Forrester after covering the discipline of awareness, behavior, and culture in depth for six years, it felt unconscionable to continue the status quo. Our report, The Future Of Security Awareness And Training: Disrupt The Status Quo By Moving To Adaptive Human Protection, examines the major expected changes in security awareness and training in the short, medium, and long term as follows:
- In the long term, adaptive human protection will create freedom for employees. We articulate that this future is realistically years (we estimated 6–10 years) in the future for most, so in the meanwhile, cue human risk management.
- The medium-term focus on human risk management will overcome SA&T’s shortcomings. Because of SA&T’s shortcomings, positively influencing employee security behavior and instilling a security culture will be driven by evidence-based human-risk management.
- The immediate term has us focusing on the methods by which we train people, rather than the outcomes. This satisfies regulatory requirements for security training but little else. We call this security awareness and training.
Is Everyone Ready For Change?
I won’t lie to you — much of the industry is still in the “immediate term.” Many of my 2023 inquiry and guidance sessions were along the lines of “We would like insights on the fundamentals of setting up awareness programs.” Yet they all ended up with a sophisticated discussion on the need to do better, and the questions quickly evolved. Many questions were driven by status quo dissatisfaction, a desire to do better, and change. In 2023, we saw human risk management moving from concept to reality:
- Frustrated CISOs and their teams wanted recommendations on “solutions that take away the reliance on humans in the decision-making,” “creating a step change in this space,” and “relatively unique offerings.”
- Vendors such as Living Security, Elevate Security (now part of Mimecast), CultureAI, and many others now have human risk management in their branding.
- The SANS Institute’s previous awareness and training course is now called Managing Human Risk. SANS also renamed its annual security awareness summit to SANS Security Awareness: Managing Human Risk Summit 2024. Vendor events are also rife with the human risk terminology, such as Egress’ Human Risk Summit and Living Security’s Human Risk Management Conference.
- Living Security released a compelling maturity model, dubbed The Human Risk Management Maturity Model.
- Job descriptions found on job boards included senior-level positions with words such as people and culture, human risk management, cyber user behavior, and sociotechnical security in the title. Managing the human risk is no longer the domain of a junior or stand-alone person or function to tick a cybersecurity box.
What Is Human Risk Management, Anyway?
This is not just a name change (aka mutton dressed as lamb)! It is a significant change of mindset, strategy, process, and technology about how we approach an old problem in a new world.
At Forrester, we define HRM solutions as:
Solutions that manage and reduce cybersecurity risks posed by and to humans through:
1) Detecting and measuring human security behaviors and quantifying the human risk.
2) Initiating policy and training interventions based on the human risk.
3) Educating and enabling the workforce to protect themselves and their organization against cyber attacks.
4) Building a positive security culture.
Satisfying requirements for security awareness training is a secondary use case for human risk management solutions while the focus stays on changing behaviors and promoting security culture.
Let’s Connect
Forrester security and risk clients who have questions about this significant change or how to position themselves to effectivity identify and manage the human risk can reach out to me via inquiry or guidance session.
