Nurse, Jason R. C., Milward, Joanna, Alashe, Oz (2024) From Security Awareness and Training to Human Risk Management in Cybersecurity. In: 7th International Conference HCI for Cybersecurity, Privacy and Trust, 22-27 June 2025, Gothenburg, Sweden. (In press) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided) (KAR id:108758)
PDF
Author's Accepted Manuscript
Language: English Restricted to Repository staff only |
|
Contact us about this Publication
|
![]() |
Abstract
Security Awareness and Training (SAT) has been the default approach to address human cyber risk for decades. While it has had some limited success, it has been plagued by issues including a failure to address contextual, personal and cultural factors, a focus on compliance over behavior change, and a lack of proven long-term effectiveness. Among the calls for new approaches to displace SAT, Human Risk Management (HRM) is one of the most prominent. Despite growing interest from practitioners, it remains an under-researched topic in the cybersecurity domain. This paper addresses this gap by exploring HRM, its positioning with respect to the human aspect of cybersecurity, and its relationship to SAT. Through an interview-based study with 20 CISOs, SAT/HRM professionals and cybersecurity practitioners, we uncover diverse interpretations of HRM, from a rebranding of SAT, to a new approach centered on humans, data, and entire systems. Given its potential at enhancing existing practice, we reflect on these perspectives and propose a vision for HRM. This vision examines what HRM needs to be to solve the current and future challenges facing the human aspect of cybersecurity. We also present open questions for future research in this emerging area.
Item Type: | Conference or workshop item (Paper) |
---|---|
Uncontrolled keywords: | Cybersecurity, Human risk management, Security awareness, Security training, Behavior change, Security culture, Human aspects of security, Data analytics, Security interventions |
Subjects: |
H Social Sciences H Social Sciences > HF Commerce > HF5351 Business Q Science > QA Mathematics (inc Computing science) T Technology |
Divisions: |
Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing University-wide institutes > Institute of Cyber Security for Society |
Funders: | University of Kent (https://ror.org/00xkeyj56) |
Depositing User: | Jason Nurse |
Date Deposited: | 15 Feb 2025 11:52 UTC |
Last Modified: | 17 Feb 2025 12:23 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/108758 (The current URI for this page, for reference purposes) |
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):