The Growing Significance of Human-Initiated Cybersecurity Incidents

Human-initiated cybersecurity incidents have emerged as the primary cause of breaches, with a staggering 74% of all incidents involving human error. This shift underscores a crucial change in the cybersecurity landscape: it is no longer solely about safeguarding systems but understanding how individuals are targeted in their daily work routines.

Traditional security awareness initiatives were founded on the belief that training could effectively mitigate risks. However, the reality is that human risk is not uniformly distributed and cannot be easily addressed through generic training programs. A small fraction of users consistently pose a disproportionate level of risk, influenced by factors such as their access levels, system interactions, and work context, rather than just the information acquired from training modules. Mitigating this risk demands targeted, context-specific interventions that tackle the specific behaviors and vulnerabilities that are most significant. As organizational environments have evolved, this gap has become more evident and impactful.

The landscape has now become even more intricate with the integration of AI into everyday operations. Employees now heavily rely on AI for various tasks such as drafting communications, data analysis, coding, task automation, and decision support. Moreover, many AI systems operate with legitimate credentials and access to enterprise systems.

This transformation fundamentally alters how organizations should approach human and workforce risk management.

It also signifies the dawn of a new era for Human Risk Management, one that extends beyond employees to encompass the risks introduced by AI systems acting on their behalf.

Why Traditional Security Awareness Training Falls Short

Traditional security awareness training programs typically measure success based on completion rates or results from phishing simulations.

Many real-world security breaches do not stem from an employee failing a phishing test but rather from operational errors in complex environments. These errors may include:

• Sharing sensitive information with the wrong audience via collaboration tools or cloud platforms
• Granting excessive access or permissions to applications or users
• Misconfiguring systems or integrations that expose data
• Automating workflows without proper oversight
• Unintentionally exposing sensitive information through the use of AI tools

Security awareness training programs were designed for a static threat landscape and an exclusively human workforce, not for a world where technology and automation shape daily work routines.

The Emergence of Human Risk Management

Recent years have highlighted that cyber risk driven by the workforce is not evenly spread across organizations.

With the adoption of Human Risk Management, organizations have gained the capability to assess risk related to behavior, identity, access, and threat exposure. This visibility has unveiled a previously concealed pattern. According to Cyentia research, approximately 10% of employees contribute to nearly three-quarters of an organization’s risk.

Human Risk Management has shifted cybersecurity strategies from broad, one-size-fits-all training to a more precise, risk-oriented approach. Instead of treating all employees uniformly, HRM enables organizations to pinpoint where risks actually lie and implement targeted interventions to mitigate them.

For the first time, organizations can move beyond mere training completion metrics to achieve measurable risk reduction. This marks a significant shift in how cybersecurity programs address human risk.

The evolution has progressed as follows:

1. Security Awareness Training: Emphasizing education, compliance, and training completion metrics.

2. Human Risk Management: Providing visibility into risk across behavior, access, and threat exposure, facilitating targeted actions to reduce risk.

3. AI-Native Human Risk Management: Leveraging advancements in AI to apply predictive risk intelligence and automate security measures across dynamic workforces.

This evolution is ongoing.

Human Risk Management must now expand to consider AI systems operating alongside employees, influencing work processes and risk introduction throughout the enterprise.

The Integration of AI Agents in the Workforce

AI is no longer just a tool for productivity; it is evolving into an active participant within enterprise environments.

Employees are increasingly depending on AI systems to execute tasks that previously required human effort. The percentage of employees using AI daily for their work has risen from 10% to 12%. These systems are involved in drafting documents, data analysis, workflow orchestration, and decision automation.

AI agents can take actions within enterprise environments devoid of the contextual judgment that humans apply to security decisions. They can misinterpret data, execute flawed automation, or introduce risks through erroneous outputs, posing a new challenge for security leaders.

As AI adoption accelerates, organizations must now grapple with a broader question: how do you secure a workforce comprising both humans and AI agents?

Extending Human Risk Management to an AI-Driven Workforce

The answer lies in the ongoing evolution of Human Risk Management to encompass both human and AI-driven risks within the workforce.

Humans and AI agents now share access, data, and decision-making authority within organizations. Both can introduce risks, necessitate governance, and must be monitored within a unified security framework.

Today’s security leaders must address new queries:

• Which employees are granting AI tools access to critical enterprise environments?
• What permissions and credentials do AI agents operate with?
• How do automated systems make decisions within enterprise workflows?
• Where could AI-driven actions introduce operational or security risks?

These challenges go beyond awareness; they underscore the need for Human Risk Management to consider systems working alongside and on behalf of employees.

Safeguarding the Future Workforce

As AI becomes ingrained in everyday enterprise operations, the line between human activities and automated decision-making will continue to blur.

Security teams must transcend traditional awareness metrics and adopt strategies that encompass the entire operational workforce. This entails securing not only human behavior but also the systems and agents increasingly operating on behalf of employees.

Cybersecurity has always evolved in tandem with technological advancements. Cloud computing, remote work, and digital transformation have each reshaped how organizations perceive and address risks.

AI is now propelling the next wave of transformation.

Organizations that thrive in this new era will be those that acknowledge a simple truth: the workforce is no longer exclusively human, and security strategies must adapt accordingly.

Ashley Rose serves as the CEO of Living Security. With a Bachelors of Business Administration from the University of Michigan, Ashley is a seasoned entrepreneur with expertise in product line design and management. Her journey in the tech industry led her to a profound interest in cybersecurity and its escalating impact on various facets of life. Co-founding Living Security, Ashley embodies the belief that empowering individuals is the cornerstone of lasting security awareness and breach prevention.

Connect with Ashley online via LinkedIn or visit our company website for an insight into our AI-Native Human Risk Management Platform.