10-17, 13:00–13:20 (America/New_York), Track 2 (206a)
Language: English
Implementing a Human Risk Management program involves more than the archaic approach of “yearly required training” and phishing assessments. It requires fostering a culture of ongoing improvement, where security is integrated into the organization's everyday operations effectively transitioning from compliance-focused into a true risk-reduction approach using the following strategies. Effectively operationalizing security awareness programs is essential for cultivating a resilient workforce aware of security issues and the role that they play in protecting themselves and the organization. Training approaches must also adapt as the threat landscape evolves, ensuring that organizations remain compliant and equipped to manage risks in a constantly shifting digital environment. By embedding security awareness into their operations, businesses can safeguard their data and personnel, creating a more secure atmosphere for everyone. The Most Effective program is one of Human Risk-Based behavior change. We can quantify risk in a multifaceted way when we combine real world metrics with individual user behaviors to target and educate our riskiest users with a true Human Risk Management Program instead of the classic “one size fit’s all” approach.
A key tenant of any effective security awareness program is bite-sized content as the average human attention span gets lower and lower every year so this talk will be quick! We will have a short discussion of some simple (and a few complex but doable) steps to design a more effective security awareness program. I should have some time for a short Q&A session at the end as well. (If allowed)
Transforming Security Awareness: From Compliance to Human Risk Management
-
Beyond Traditional Training
Move away from static, annual training and generic phishing simulations.
Embrace continuous learning and adaptive education that reflects real-world threats. -
Culture of Ongoing Improvement
Embed security into daily operations, making it a shared responsibility.
Promote a mindset of vigilance and proactive behavior across all levels of the organization. -
Operationalizing Awareness Programs
Integrate security awareness into workflows, not just as a separate initiative.
Use engaging formats (e.g., microlearning, gamification, scenario-based training) to maintain relevance and retention. -
Adaptive Training for Evolving Threats
Regularly update content to reflect the current threat landscape.
Ensure training is both compliant and effective in reducing actual risk. -
Human-Centric Risk-Based Approach
Focus on individual behaviors and risk profiles.
Use real-world metrics (e.g., click rates, reporting behavior, access patterns) to identify and support high-risk users. -
Personalized Education
Replace “one-size-fits-all” with targeted interventions.
Tailor content and frequency based on user risk levels and learning styles. -
Quantifying Human Risk
Combine behavioral analytics with technical data to create a multifaceted risk view.
Use this data to drive strategic decisions and measure program effectiveness. -
Building a Resilient Workforce
Empower employees to be the first line of defense.
Foster a sense of ownership and accountability in protecting organizational assets.
My name is Eric Zyvith, CISSP, I have spent over 15 years in the cybersecurity industry graduating from Penn State University with a B.S. in Security and Risk Analysis (covering the NSTISSI-4011 INFOSEC curriculum). I have worked in various fields including NERC Critical Infrastructure Protection focusing on cybersecurity of ICS, performing cybersecurity audits for the financial industry, P2P cyberintelligence with a focus on online criminal activity, and for the last 8 years, as an SE and Human