<p>Security decision-makers face a multipronged challenge when it comes to protecting their organizations’ systems and sensitive data.</p>
<p>First, the organization’s employees pose the greatest cybersecurity risks. Beyond malicious <a href=”https://www.techtarget.com/searchsecurity/tip/Insider-threat-hunting-best-practices-and-tools”>insider threats</a>, security teams face a host of challenges from phishing attempts, <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks”>social engineering</a>, <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-detect-deepfakes-manually-and-using-AI”>deepfakes</a> and human error.</p>
<p>Then, there is the inconvenient truth that <a href=”https://www.techtarget.com/searchsecurity/definition/security-awareness-training”>traditional security training</a> simply does not work. For decades, employees have grudgingly taken mandatory annual security programs while the number of breaches continues to spiral out of control. There is a data problem, too. Nontechnical leaders point to completion rates for security awareness training success and assume the perimeter is secure. Security professionals, however, know better and struggle to attach any meaningful outcomes to employee training.</p>
<p>Forrester Research has <a target=”_blank” href=”https://www.forrester.com/report/five-steps-to-better-human-risk-management-metrics/RES187030″ rel=”noopener”>proposed</a> an alternative to traditional security awareness that can improve security culture while truly demonstrating a stronger cybersecurity posture: human risk management.</p>
<section class=”section main-article-chapter” data-menu-title=”What is human risk management?”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>What is human risk management?</h2>
<p>According to Forrester, human risk management is a <a href=”https://www.forrester.com/blogs/the-future-is-now-introducing-human-risk-management/” target=”_blank” rel=”noopener”>set of bespoke activities</a> to manage and reduce the cybersecurity risks posed by the people that security teams strive to protect in an organization. Activities include the following:</p>
<ul class=”default-list”>
<li>Detecting and measuring security behaviors that could lead to vulnerabilities.</li>
<li>Initiating targeted policy and training interventions based on identified risks and potential threats.</li>
<li>Educating and enabling the workforce to protect themselves and their organizations against cyberattacks.</li>
<li>Creating an <a href=”https://www.techtarget.com/searchsecurity/tip/5-tips-for-building-a-cybersecurity-culture-at-your-company”>organizational culture that prioritizes security</a> and encourages proactive risk management.</li>
</ul>
<p>While these elements might bear a passing resemblance to traditional security awareness training programs, they represent a broader, data-driven approach that addresses human vulnerabilities in cybersecurity. Human risk management requires security teams to move beyond a cadence of scheduled security trainings that might or might not apply to users and instead embrace interventions based on the risky security behaviors arising from how people actually work.</p>
<p>”Human risk management is not security awareness training 2.0,” explained Jinan Budge, vice president and research director at Forrester. “It is quite a significant shift in mindset, in strategy and, most importantly, in technology.”</p>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
Human risk management is not security awareness training 2.0. It is quite a significant shift in mindset, in strategy and, most importantly, in technology.
</figure>
<figcaption>
<strong>Jinan Budge, vice president and research director, Forrester Research</strong>
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
</section>
<section class=”section main-article-chapter” data-menu-title=”A punishing threat landscape”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>A punishing threat landscape</h2>
<p>In its 2025 annual report, the FBI Internet Crime Complaint Center <a href=”https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf” target=”_blank” rel=”noopener”>reported</a> a sharp upward trend in cybercrime, with financial losses estimated at $20.877 billion, a 397% increase from five years earlier. Human-enabled activities accounted for a significant portion of losses, with business email compromise, <a hr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: