International Cyber Expo International Cyber Expo
  • About Us
Friday, 10 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Human Risk: An Organisation’s Biggest Problem and Greatest Opportunity

Becky Gelder, risk consultant, Turnkey Consulting

by The Gurus
April 17, 2024
in Featured
Human Risk: An Organisation’s Biggest Problem and Greatest Opportunity
Share on FacebookShare on Twitter

Organisations often lean on the ‘People, Process, and Technology’ (PPT) framework as a way of demarcating value streams and driving action. When managed well, the triad works in unison to ensure a comprehensive and layered approach to defence. But what happens when one pillar is weaker than the others?

Human risk is incurred by the compromising behaviours of those inside the organisation, both accidental and purposeful. This risk is realised in various ways, from data leakage and operational inefficiencies, to blackmail, fraud, and ransomware. The Verizon 2023 Data Breach Investigations Report found that ‘74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering’.

It also reported that phishing fell into the top three breach methods, reinforcing the need for dedicated efforts to help combat the impact and likelihood of an incident. Opting for yearly training often misses the mark; seen as a chore, or a tick-box compliance exercise, it fails to equip staff with the skills and knowledge to build a healthy security culture.

So where does human risk come from, and how can it be managed? More importantly, how can the workforce be empowered to become an asset rather than a liability?

Understanding Behaviours: Where Does Human Risk Originate?

The sources of human risk are numerous and complex, based on company culture, individual disposition, and immediate circumstances.

  • Curiosity and Impulse. Where users are curious without restraint, risk is induced through impulsive engagement with harmful content or processes. This may manifest as a user thoughtlessly clicking on an email link, or through the implementation of shadow IT.
  • Trust and Comfort. Desire to see the best in everyone may lead users to blindly bestow trust upon dishonest entities. Gaining trust is a core requirement of a social engineering attack, enabling exploitation based on an established but disingenuous relationship.
  • Lack of Education and Awareness. If users are not taught how to combat threats, they cannot be expected to enact best-practices. A one-size-fits-all training approach means teams often struggle to see how security relates to them, leaving holes in knowledge application and risk perception.
  • Culture and Behaviours. In our fast-paced digital world, jobs are made harder by the demand for efficiency and constant availability. Increased pressure may drive employees to cut corners or mis-perform processes to meet deadlines.

Often there is no malicious intent in the incurrence of human risk. To better understand potential causes, an organisation needs to consider the following within the context of its own operations:

  • What makes the workforce act the way they do? What pressures are applied (both overtly and through subtext) by the organisation’s culture?
  • Who (and what) do employees inherently trust?
  • What challenges do staff face in their roles that lead them to seek workarounds?
  • Do employees have enough knowledge to react to events with security in mind?
  • How does interaction with risk and security differ depending on the role employees perform?
  • How is security perceived and acted upon at different management levels within the organisation?

Know the Team: Understanding Risk Profiles Across the Workforce

Risk profiles cannot be applied unanimously to every individual or team. Whatever the organisation’s culture, it is imperative that security processes are built to work with it, not struggle against it – even if this means adapting security training for different regions, teams, or management levels.

  • Department Function. Each function interacts differently with the company’s value streams and processes, inviting different forms of risk exposure. It is unlikely that warehouse workers will incur the same risks as developers working on ERP systems, or finance teams working with vendor payments.
  • Seniority and Hierarchy. In a culture that favours hierarchy and formality, more junior employees may struggle to speak out or ‘go over the heads’ of their managers to raise issues. Managers may also take different approaches, driving a fractured response. 

Where to Start: Building a Human Risk Response

Mitigating human risk requires a strong security culture instilled across every level of the business – from C-Suite to factory floor workers. So where to start?

  1. Understand Risk

Implementing policy or training without a baseline will result in wasted investment. It is important to first understand the business drivers, critical assets, and risk profile – from here training that will best suit the business and recognise any gaps that expose it to human vulnerabilities can be identified. This also helps identify areas that are already protected, to prevent over-investment in departments requiring less attention.

  1. Tailor Training

Identify the different training requirements for each department based on their role and exposure to risk. A ‘one-size-fits-all’ approach does not work when everyone has such vastly different responsibilities. Embrace different forms of training, from subject-specific sessions to micro-training opportunities; in each case making sure to tailor it to the users to be engaged.

  1. Engage with Training Results

Engage with the data resulting from training, and tailor approaches based on the gaps identified in previous teaching rounds.

Training activities are only as good as the impression they make on employees: tracking the number who complete the training is not the same as measuring who has understood and implemented their learning. Training should be sustainable, with measurable outcomes and follow-up plans for those who need further assistance.

  1. People add Value, not Vulnerability

Employees tend to know workplace processes better than anyone. Given the correct support, they are perfectly placed to identify warning signs of compromise, report them, and support recovery activities. This requires an open and supportive culture, in which employees feel able to safely report incidents without fear of repercussions.

Conclusion: Avoid Tick-box Training and Compliance Activities

Ultimately, there needs to be a move away from tick-box compliance activities towards a more robust and integrated approach to training and controls. Instilling a strong security culture across every tier of the organisation requires understanding of what drives employee action, alongside how this differs between functions and leaders.

Without considered and purposeful training, an enterprise is under-equipping and under-valuing the ability of its workforce to combat human risk. Instead, organisations should facilitate learning opportunities that best suit their people, enabling them to work alongside technology and processes to protect their critical assets.

Author: Becky Gelder, risk consultant, Turnkey Consulting

ShareTweet
Previous Post

Flyfish Review – How Reliable are this Company’s Payroll Management Solutions?

Next Post

Keeper Security Offers Built-In Passphrase Generator to Strengthen Security

Recent News

hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026
malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol