Words Matter: Human Risk Management in Cybersecurity
Words carry powerful connotations and set the context for how we perceive and interact with our world. They’re not just placeholders; they influence behavior and set expectations. This is especially true in cybersecurity, where terminology doesn't just describe reality—it actively shapes our defensive strategies.
For the past decade, "security awareness" has been the cornerstone of cybersecurity efforts. This term and the movement it encapsulates have done an admirable job of bringing attention to the digital threats we face. Pioneers in this field have laid the groundwork that prepared us to advance to where we are today—a stage where mere awareness is insufficient.
Take the example of a pile of bricks. On their own, they're bricks. But combine them with mortar, wood, and glass, and they transform into something much greater: a building. Similarly, in the cybersecurity realm, the term "security awareness" fails to encompass the full spectrum of what it’s supposed to represent. It’s like calling a building just "bricks" because it's familiar. Security awareness is crucial—it alerts us to the dangers and methods of defense. Yet, it doesn’t inherently change behavior or foster a robust security culture. It’s merely one piece of the puzzle.
That’s why I like the term "human risk management." It serves as an umbrella that captures the full spectrum of human factors in cybersecurity—beyond the initial alert to potential threats, it encompasses proactive strategies that manage and mitigate risks through understanding and influencing organizational behavior and culture. This approach is inclusive, ensuring that all aspects of risk, from knowledge to execution, are considered.
But it isn't without its complications. It closely resembles "human resource management," a similarity that has already led to confusion among professionals who mistakenly assume it's an HR function. I have heard more than once “why are we suddenly bringing HR into it?” (a blog for another time). Moreover, the cybersecurity industry's fondness for acronyms only muddies the waters further, making it harder for professionals to navigate what is already a complex field.
Moreover, the evolution of terminology in our field often appears as a sales tactic, a rebranding rather than a true shift in methodology. It’s critical that the adoption of new terms like human risk management be accompanied by actual, substantive changes in approach. These terms must not only resonate on a surface level but should also reflect deeper, strategic shifts that address the complexities of modern cybersecurity.
In the future, the precision of our language will be as crucial as the technologies we employ. We need clear, accurate, and meaningful terminology that aligns with effective security practices. This clarity is essential not just for cybersecurity professionals but for everyone involved, from front-line employees to board members and executives. Achieving this will likely require more than vendor-driven initiatives; it will also need oversight from neutral bodies dedicated to defining and upholding standards in cybersecurity terminology and practice.
Let's try to make it so that our language evolves to match the sophistication of our technologies and strategies. Clear and effective communication is not just good practice—it is essential for comprehensive security management and a well-informed, resilient organization.
Praxis Navigator offers a new, holistic and integrated approach to managing human risk. Sign up today to see how your data can help you build a more resilient organization.