I am starting my third Forrester Wave™ evaluation for the market that used to be called the security awareness and training (SA&T) market. We’ve been calling it human risk management when advising clients the last few years but finally reached the decision to formally retire the SA&T nomenclature.

This blog explains why we (and the whole industry) are making the change from SA&T to human risk management; defines human risk management; and adds color about the complexity and opportunity of rejecting the status quo and evolving our ways of thinking.

Why The Change?

Forrester predicts that 90% of data breaches will include the human element in 2024. Yet our efforts in understanding and managing this significant threat remain perfunctory, with one touted silver bullet: SA&T. This is a market that has grown exponentially, with some reports predicting a market worth $10 billion annually by 2027. Even with all this training and quizzing, human-related breaches are on the up. For example, the FBI reported that losses to business defrauded by successful business email compromise attacks rose from $676 million in 2017 to $2.7 billion in 2022 — an almost tenfold increase in five years.

Why Now?

Simply put, with all that we know at Forrester after covering the discipline of awareness, behavior, and culture in depth for six years, it felt unconscionable to continue the status quo. Our report, The Future Of Security Awareness And Training: Disrupt The Status Quo By Moving To Adaptive Human Protection, examines the major expected changes in security awareness and training in the short, medium, and long term as follows:

  • In the long term, adaptive human protection will create freedom for employees. We articulate that this future is realistically years (we estimated 6–10 years) in the future for most, so in the meanwhile, cue human risk management.
  • The medium-term focus on human risk management will overcome SA&T’s shortcomings. Because of SA&T’s shortcomings, positively influencing employee security behavior and instilling a security culture will be driven by evidence-based human-risk management.
  • The immediate term has us focusing on the methods by which we train people, rather than the outcomes. This satisfies regulatory requirements for security training but little else. We call this security awareness and training.

Is Everyone Ready For Change?

I won’t lie to you — much of the industry is still in the “immediate term.” Many of my 2023 inquiry and guidance sessions were along the lines of “We would like insights on the fundamentals of setting up awareness programs.” Yet they all ended up with a sophisticated discussion on the need to do better, and the questions quickly evolved. Many questions were driven by status quo dissatisfaction, a desire to do better, and change. In 2023, we saw human risk management moving from concept to reality:

What Is Human Risk Management, Anyway?

This is not just a name change (aka mutton dressed as lamb)! It is a significant change of mindset, strategy, process, and technology about how we approach an old problem in a new world.

At Forrester, we define HRM solutions as:

Solutions that manage and reduce cybersecurity risks posed by and to humans through:

1) Detecting and measuring human security behaviors and quantifying the human risk.

2) Initiating policy and training interventions based on the human risk.

3) Educating and enabling the workforce to protect themselves and their organization against cyber attacks.

4) Building a positive security culture.

Satisfying requirements for security awareness training is a secondary use case for human risk management solutions while the focus stays on changing behaviors and promoting security culture.

Let’s Connect

Forrester security and risk clients who have questions about this significant change or how to position themselves to effectivity identify and manage the human risk can reach out to me via inquiry or guidance session.