Skip to main content
Kent Academic Repository

From Security Awareness and Training to Human Risk Management in Cybersecurity

Nurse, Jason R. C., Milward, Joanna, Alashe, Oz (2024) From Security Awareness and Training to Human Risk Management in Cybersecurity. In: 7th International Conference HCI for Cybersecurity, Privacy and Trust, 22-27 June 2025, Gothenburg, Sweden. (In press) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided) (KAR id:108758)

PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only
Contact us about this Publication
[thumbnail of HCII-CPT-2025-HRM-Nurse.pdf]

Abstract

Security Awareness and Training (SAT) has been the default approach to address human cyber risk for decades. While it has had some limited success, it has been plagued by issues including a failure to address contextual, personal and cultural factors, a focus on compliance over behavior change, and a lack of proven long-term effectiveness. Among the calls for new approaches to displace SAT, Human Risk Management (HRM) is one of the most prominent. Despite growing interest from practitioners, it remains an under-researched topic in the cybersecurity domain. This paper addresses this gap by exploring HRM, its positioning with respect to the human aspect of cybersecurity, and its relationship to SAT. Through an interview-based study with 20 CISOs, SAT/HRM professionals and cybersecurity practitioners, we uncover diverse interpretations of HRM, from a rebranding of SAT, to a new approach centered on humans, data, and entire systems. Given its potential at enhancing existing practice, we reflect on these perspectives and propose a vision for HRM. This vision examines what HRM needs to be to solve the current and future challenges facing the human aspect of cybersecurity. We also present open questions for future research in this emerging area.

Item Type: Conference or workshop item (Paper)
Uncontrolled keywords: Cybersecurity, Human risk management, Security awareness, Security training, Behavior change, Security culture, Human aspects of security, Data analytics, Security interventions
Subjects: H Social Sciences
H Social Sciences > HF Commerce > HF5351 Business
Q Science > QA Mathematics (inc Computing science)
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: University of Kent (https://ror.org/00xkeyj56)
Depositing User: Jason Nurse
Date Deposited: 15 Feb 2025 11:52 UTC
Last Modified: 17 Feb 2025 12:23 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/108758 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views of this page since July 2020. For more details click on the image.