Blog

Thoughts: "Human Risk Management"

Thoughts: "Human Risk Management"

The people side of cyber security has traditionally been called "cyber security awareness". That is, making people aware of how the cyber criminals are targeting them, and what they can do about it.

But some people in the cyber security industry are not happy with this term, and instead "Human risk management" is starting to gain a bit of traction. What does it mean? Broadly something like: "the process of identifying, assessing, and mitigating risks associated with human behaviour in regards to an employee's use of technology".

Let's break it down:

Human

Firstly, the term "Human". I don't like it. Why can't we call people, people? Human is so impersonal. For me, it's almost like saying people are cattle with a number on an ear tag.

The Blame Game

Secondly, we're saying Humans (people) are a risk. We are literally saying that because of Humans, we need to have a framework in place to manage your stuff ups, because you're imperfect, and cost the company money. Wow, that's pretty demotivating in my books - being blamed for something you potentially haven't even done!

Risks Associated with Human Behaviour

Now this part really doesn't make sense to me. If we're talking about people being tricked by cyber criminals, then how is the behaviour of the "Human" the risk? I've mentioned this before in a blog post here.

Risk = Threat + Vulnerability.

You can add a few other things in there, like probability and impact, but really that's part of the threat. If there's no probability or impact, there's no threat.

Anyway, if the threat is the cyber criminal targeting the person, then the person must be vulnerable (trickable) in order for a risk to exist. No criminal = no risk. No vulnerability = no risk. Simple. But if we're going to be calling the person the risk, then what is the vulnerability that we need to deal with?

I find it amusing that cyber security is so clear on the definition of a risk, but when it comes to the people side, we can throw away that definition? Frankly that's just odd!

Can People be a Risk?

People do make mistakes, granted, and heck, sometimes they are even malicious. If someone acts with malicious intent, then they are a threat, and we could say that systems or processes are the vulnerability that needs to be improved. If people make mistakes, again they still present as the threat, and again we need better systems or processes to cater for this. But they're still not the risk. The risk is a combination of people being a threat, and the vulnerabilities that exist.

Summary

Is "cyber security awareness" the best term for the people side of cyber security going forward? Personally, I like it. Telling staff that they need to come to "Human risk management" training is not a great way to tell people you appreciate their efforts in keeping your company safe from cyber criminals!

Is "Human risk management" an acceptable term? It doesn't make sense to me.

People get tricked because they are vulnerable. When someone is vulnerable, they need support and nurturing, and they certainly shouldn't be blamed for being a problem that they didn't create!

Final Words

Companies will ultimately drive these name changes. If they want to call it Human risk management, then vendors have to fall in line, and that means Web Safe Staff too. Time will tell.