.jpg?width=400&height=225&name=Evangelists-Martin%20Kraemer%20(1).jpg)
Reducing human risk in cybersecurity requires a human-first approach that relies on effective training and practice for people to gain security knowledge, practice secure behavior, and foster a culture of security and mutual support.
While technology and policy must support, enable, and empower good security behavior, it is paramount to always consider a human-centered perspective first. After all, technology and policy only reduce cybersecurity risk if they influence human behavior in the right ways — by encouraging good actions (like reporting incidents) or the behavior they protect from outside influence (e.g. firewalls or email filters).
The values that underpin and guide a human-first thinking are autonomy, equity, trust, and fairness. These values are core to building supportive relationships at work as well as at home, and these are the values great leaders focus their efforts on instilling in their people. The focus of all efforts must be to empower people and to lead by example, which directly translates to the people in cybersecurity as I was reminded during a talk by Ibrahim El Abed of CPX during GISEC 2025 .
Align your Cybersecurity Program with your Organizational Values
The values that drive your cybersecurity program should be the same that drive your entire HR and people function. Cybersecurity must be part of people enablement and empowerment. It is no longer an afterthought, optional, or a separate issue for the information security team. Cybersecurity must become an opportunity for learning on the job, for constant improvement, a means to become better at your job. That’s why you must design your program to turn every risk into an opportunity.
For example, employees could be tricked into joining fake online meetings using video deepfakes. Create a deepfake scenario and use it as a training tool to teach them how to recognize and protect themselves against such threats. Your employees will appreciate the timely nature of the lesson. They are most likely concerned about deepfakes on social media and in their private networks already. In other words, create informative, experiential, and relationship building material.
Every opportunity to translate cybersecurity risk into a learning experience is a chance to increase the resilience of your workforce. A workforce that is aware of emerging threats and practices to behave securely when facing adversity, is a workforce that continues to be productive and focused on value creation.
Balancing Friction and Flow: Making Cybersecurity a Shared, Human-Centered Responsibility
Well-calibrated cybersecurity is essential, and friction and distraction must be avoided. When organizations start out with their human risk programs, cybersecurity is often considered an afterthought, regarded as the responsibility of the IT department.
It is the challenge of security awareness and culture professionals to turn cybersecurity into collective responsibility as a top-of-mind issue for the entire workforce. Cybersecurity must not turn into an end of itself – the goal of risk management is never to minimize risk but to maximize value creation while managing an acceptable level of risk.
Therefore, cybersecurity training, tools, and procedures must provide the lowest possible burden on the user while providing the biggest possible benefit. Gartner called this minimum possible friction, otherwise known as a great user experience. Often enough, awareness programs have repetitive, predictable, and boring content; or they fail to provide workable tools and actionable policies. All these issues cause unnecessary friction.
Better cybersecurity efforts drive change across several dimensions that impact security outcomes. This is where security culture as the breeding ground for good security behaviors becomes important. Friction should be used deliberately to create memorable learning experiences that alter a specific element of security culture – friction should not be caused repeatedly without moving the needle on any behavior-influencing element of a people-centric security awareness program. Friction becomes necessary and acceptable when it is required to push on behavior-influencing.
In fact, friction is necessary to unlearn existing, insecure behavior so that there is space for newly learned, secure behavior. How this will exactly happen is the topic of the next part in this three part series.
