The market for traditional security awareness computer-based training (SACBT) has become standard, stable, and largely commoditized. There are literally over 50 different products on the market that purport to do some form of SACBT.

CISOs typically adopt these products for two primary purposes: phishing simulations and compliance. None of it works.

But, it not only doesn’t work, it never has worked. In 2012, we could trace 95% of all cyber break-ins to a human error of one kind or another – a misconfiguration, an over-privileged user, an intentional MFA workaround or an unintentional click on a malicious email offer – today, after spending north of $60 Billion on SACBT, we can still trace 95% of all cyber break-ins to human error.

Organizations that are serious about managing human risk are turning to new solutions, in a category known as Human Risk Management (HRM). Both Gartner and Forrester have acknowledged the category, named market leaders and created an MQ and Wave for it. The elements include:

Behavioral Science: Psychological principles that drive real behavior change.

Data Integration: Analyzing data from many sources for human behavior insights.

Personalized Engagement: Tailoring engagement to individual needs.

Human Risk Management

The objectives of human risk management are: achieving baseline compliance, targeting training to the employees most in need, and changing the culture to a model of security consciousness. That is to say, we no longer need to drag the entire company through dreaded SACBT training, which all by itself is a huge win.

The CyerEd.io HRM solution uses our customers’ installed security products to aggregate data about employee behaviors, and then parses that data in real-time with views by employee, department, team, function, etc. The views focus on a Risk Score, which is an immediate indicator of how risky or safe the behaviors are at each level. Risk scores that exceed the safe threshold are indicated for intercession at the individual or team level with training from our extensive library to address the specific risk.

Continuous Behavior Visibility

And with our continuous behavioral monitoring engine, we have visibility and observability into progress and/or regress at the same levels so we can measure the efficacy of the training and identify gaps should any exist.

While only 5% of organizations today are exploring Human Risk Management according to Gartner, just the savings from abandoning traditional approaches to training the whole enterprise in security awareness should be enough to justify the purchase of a brand new system.

Those who don’t bother are placing their companies at significant risk. The HRM approach paves the way for a modified agenda that does not distract the entire company, yet delivers completely on compliance, safety and ROI.