From Security Awareness and Training to Human Risk Management in Cybersecurity

Security Awareness and Training (SAT) has been the default approach to address human cyber risk for decades. While it has had some limited success, it has been plagued by issues including a failure to address contextual, personal and cultural factors, a focus on compliance over behavior change, and a lack of proven long-term effectiveness. Among the calls for new approaches to displace SAT, Human Risk Management (HRM) is one of the most prominent. Despite growing interest from practitioners, it remains an under-researched topic in the cybersecurity domain. This paper addresses this gap by exploring HRM, its positioning with respect to the human aspect of cybersecurity, and its relationship to SAT. Through an interview-based study with 20 CISOs, SAT/HRM professionals and cybersecurity practitioners, we uncover diverse interpretations of HRM, from a rebranding of SAT, to a new approach centered on humans, data, and entire systems. Given its potential at enhancing existing practice, we reflect on these perspectives and propose a vision for HRM. This vision examines what HRM needs to be to solve the current and future challenges facing the human aspect of cybersecurity. We also present open questions for future research in this emerging area.