How to talk like a human risk manager: Unleashing the language of credibility

Talking the risk management talk

“We have been looking at the people element from a risk lens probably more than we realize.” — Liz

It’s one thing to understand risk, but quite another to articulate it in a way that drives action and builds trust.

Risk management is often embedded into the work we do—sometimes without us even realizing it, as Liz pointed out: “I think to a certain extent, we have been looking at the people element from a risk lens probably more than we realize… You actually vocalize that and communicate that with the reduction of risk towards data leakage.”

But unless you work in a sworn-to-silence monastery, this isn’t just about actions. The language of risk, when wielded effectively, becomes a tool to influence decisions, to steer strategy, and to manage vulnerabilities. 

And it all starts here, with a topic that is as vital as it is unsexy: Terminology.

“Risk is found at the intersection of threat and vulnerability,” Oz pointed out. “This is a really important principle for anybody who manages risk.”

Understanding the nuanced relationship between these key terms is everything. As Oz pointed out, too often we jumble them together, losing sight of what’s actually driving the risk.

So, let’s break it down.

A Risk Outcome is the specific something (damage, loss-like or harmful) we want to avoid. It’s the actual result if that risk actually occurred.

Vulnerability is the weakness itself, that exposes you to threats, and therefore increases the likelihood of a negative event.

A Threat is anything that can exploit a vulnerability, intentionally or unintentionally and cause damage/harm or loss.

As a security awareness or human risk management professional a thorough understanding of the difference between risks, threats and vulnerabilities will help you better manage the human aspect of cyber security.

Want to delve deeper into how the three things interact? Read our guide: The difference between ‘risks’, ‘threats’ and ‘vulnerabilities’.

Why security awareness & training is not the whole story

“We have some really high-level ten or fifteen minute mandatory training, and then everyone thinks they can go back to their day jobs, and it’s all settled. How do we know behaviors have changed?” — Liz

Liz opened up about something she found particularly challenging—measuring the impact of training. “Of all the security disciplines and domains that I have to deal with… this is actually the area that I find the hardest,” she said, “because I’m still working out how to measure it. And I think the point around becoming more outcomes-based is really relevant.”

“When we think about the evolution [of cybersecurity], training was something that we all had to do—it’s a tick-box exercise. It’s done for regulatory requirements.”

“We have some really high-level ten or fifteen minute mandatory training, and then everyone thinks they can go back to their day jobs, and it’s all settled. How do we know behaviors have changed?”

And she’s right, of course. Just because someone has attended a training session doesn’t mean they’ve absorbed the knowledge—or that their behavior will shift.

Greg was on the same page here: “The completion of training is a terrible metric. Awareness training or cultural change platforms are just used to tick a box to say, ‘Yeah, we’ve done it. We’re compliant.’”

“You can’t get sucked into that. You have to really think about what the outcome should be.”

“The completion of training is a terrible metric. Awareness training or cultural change platforms are just used to tick a box to  say, ‘Yeah, we’ve done it. We’re compliant.’” — Greg

But how do we measure those outcomes in a meaningful way?

Meaningful measurements ahoy!

The conversation turned to the concept of risk outcomes—a more meaningful way to measure the success of human risk management.

Is the profession overly preoccupied with doing security, rather than delivering the outcome of security? Greg thinks it might be. “I think security teams are more comfortable with technology. This is far more abstract.”

Greg also emphasized the importance of thinking beyond just ticking boxes: “If this is successful or not, what should the change be? And look at that, not just whether we’ve done it, yes or no.”

Risk outcomes are a way to focus on the real impact of human behavior in security. And of the millions of security strategies out there, they come down to just a handful of outcomes. 

They are the most common risks associated with humans as they interact with workplace technologies.

Start treating human risk management like the asset it is

“We need to demonstrate value, and we need to understand the business that we’re part of. If we can’t explain what we do in the context of bringing about business outcomes that matter, we’re going to struggle to validate the fact that we’re doing anything of value.” — Oz

Demonstrating business value. You’re either smashing it or you need to be. And chances are, it’s the latter. Because as a profession, we’re historically not the best at this bit.

If you can’t show how your efforts contribute to the bottom line, you risk being seen as a cost center rather than an enabler of success.

Click rates, report rates, and training completion metrics all have two things in common:

1. The average security professional is great at measuring them and does it lots.
2. Your average executive doesn’t give a toss about them.

So how do you tie human risk management to, well, something that executives actually give a damn about?

What goes underappreciated is the way every tiny click metric feeds into the bigger picture. 

“As security professionals,” Oz said, “we need to demonstrate value, and we need to understand the business that we’re part of. If we can’t explain what we do in the context of bringing about business outcomes that matter, we’re going to struggle to validate the fact that we’re doing anything of value.”

This is the crux of CybSafe’s approach to human risk management: It’s as much about empowering the business to achieve its goals as it is about keeping people safe. In fact you can’t separate the two.

How do behaviors factor in?

There was some difference in opinion when it came to how behaviors fit into the risk equation.

Oz suggested that behaviors could be seen as vulnerabilities. People aren’t risks, but “the behavior is a vulnerability. If that behavior was to be modified and improved, that vulnerability would reduce.”

Greg saw things a little differently, positing that “behavior introduces risks, but you can’t be sure specifically what risks it’s going to introduce.”

Liz underscored how a seemingly trivial behavior can undermine formidable technological defenses: “You could throw all the money you like on deploying software and technology controls to prevent and block, but if you don’t have that kind of good culture and good behaviors, all that money might be completely wasted in a few seconds.”

Ah, there’s that word: culture. No discussion around human risk management is complete without it. Let’s do this.

Culture (eats strategy for breakfast)

“If I don’t care about other people, I don’t drive that change.” — Greg

Security culture runs the risk of being a side note in human risk management.

It isn’t. Or shouldn’t be anyway, as Greg made abundantly clear: “It’s very difficult to achieve the optimal outcome unless you have that collaboration where everyone understands and respects what each other is trying to do together.”

Liz agreed, explaining that culture is a core pillar of her security strategy at Thames Water: “One of the strategic pillars is to instill a cyber culture…The culture of an organization will determine how secure an organization is.”

Without the right culture, it’s impossible to build a security program that actually works. And as Greg pointed out, it’s not just about technical controls or policies—it’s about building a culture where people genuinely care about security:

But culture isn’t simply waving a flag with lofty values on it. It’s about actions and attitudes.

Culture is about what happens when no one’s looking.

“If I don’t care about other people, I don’t drive that change,” Greg added.

Liz agrees: “If you don’t have the culture, and that culture is not supported right from the top, then you’re going to have a really hard battle on your hands.”

Want to come out on top? Our definitive guide to human risk management gives you the full-fat, cream-and-sprinkles-on-top lowdown on mastering HRM.

The final word (or is it?)

“Instead of putting 10,000 mouse traps around a bag of seeds, why not put the seeds in a metal airtight tin?” — Greg

Language matters. The words you use—risk, threat, vulnerability, outcomes—can build trust and credibility. And throwing them around carelessly can do the complete opposite.

It’s the difference between shifting to a true human risk management paradigm versus paying lip service.

Because human risk management is about focusing on outcomes—about behavior change and risk reduction. Not ticking boxes and feeling smug.

But where to start with HRM? Our panelists shared some parting thoughts. 

Liz advocated for realism and for taking that all-important first step: “Just sit down and decide what your starting point is, where your key area of focus is, and what you can do right now.”

Greg’s takeaway? “Do less cybersecurity, do more business securely.” Or, so use an analogy, “Instead of putting 10,000 mouse traps around a bag of seeds, why not put the seeds in a metal airtight tin?”

And Oz’s HRM hack? “Start at the end and work backwards—what’s the risk outcome you’re trying to avoid? Therefore, which behaviors should we be focused on?”

But, before you leap into action, do yourself a favor and catch the full webinar. There’s so much we couldn’t fit in here, like even more practical takeaways, real-world examples, and thought leadership from some of the best in the business.