By Kiersten Putnam | Senior Innovation Researcher
Security teams have no shortage of tools for managing the vast amount of security misconfigurations, threats, and risks across their organization. While many domains have seen significant innovation and investment, attention is now shifting to the one cause behind nearly 95% of cyberattacks: human risk management.
Social engineering attacks that target human risk are unique because they don’t require attackers to outsmart your tech stack, only to outplay your people. They are psychological attacks that manipulate human behavior by rushing employees into a response, impersonating trusted brands, or persuading them to make a one-time exception. And the use of AI has only supercharged these attacks, making them more discreet, convincing, and hyper-personalized to each organization. No longer are they poorly crafted phishing emails. Now, there are a variety of different techniques and AI-crafted campaigns that are more convincing and scalable than ever before.
Yes, there are endpoint safeguards evolving to handle these types of attacks, such as security for mobile, email, browser, and endpoint. But those tools mainly protect systems and content. To fully defend against social engineering, organizations need to create a continuous program for the human layer. One that assesses risk posture, modernizes defenses, and continuously evolves employee behavior to align with best practices and procedures. This is where human risk turns from a major source of exposure into a measurable and manageable security program.
Where Awareness Training Starts to Lead to Fatigue
For years, many organizations have treated human risk management as security awareness training. These training modules educate employees on evolving threats and what to do when they inevitably encounter them. Simulations create a way to turn the lessons learned in the modules into lasting teachable moments, especially when falling for the phishing email. In theory, the combination of these tools naturally decreases human risk in an organization.
However, while valuable, these programs have traditionally been static, both in content and cadence. They cover generic security topics, such as explaining phishing emails or the importance of MFA, may or may not resemble an organization’s threat landscape, and provide the same information to all employees, not accounting for an individual’s unique role or risk profile. Additionally, they were often delivered on an annual or fixed basis as a mandatory checkbox, shifting the focus to completion rather than comprehension. Meanwhile, threats are happening much faster and becoming increasingly tailored to a specific environment.
All this points to the simple truth: human risk management must be hyper-personalized to meet your organization. This shifts awareness training from a static checkbox to a dynamic system that measures, predicts, and manages risk. It allows you to understand your organization and your risky users, while supporting them to make the right decisions.
So, how do you hyper-personalize human risk management to your organization?
This is evolving in two ways:
-
Security Awareness and Human Risk Training: teaching people about scams before they come
-
Human-Layer Detection and Response: the second set of eyes on every conversation that signals when it’s a scam
Together, they create a system where risk becomes the driving factor behind the decisions made, training becomes tailored, and employees are met in the moment with the information they need to navigate away from risky behavior.
Let’s dive into these a bit more.
Security Awareness and Human Risk Training: Building Scam-Savvy Employees
Many emerging solutions address the challenges of traditional security awareness training, while evolving into risk management platforms. They approach it by first understanding the risk posture of an organization from a tool, process, and people perspective. They create a risk index for employees by analyzing different signals, such as if they are uploading sensitive information, downloading software from the internet, or logging in at different hours. Then, they create customized ways to deliver training modules and reinforcement through simulations, nudges, and micro-trainings. Each training and simulation can be customized to an organization’s specific tools, processes, and best practices, as well as be assigned to different user groups based on where they sit in the organization and/or by their risk profiles. This creates a dynamic way to ensure the trainings are hyper-relevant, meeting each employee where they are instead of treating them all the same. As users continue to improve their security posture, they can level-down their risk group and be dynamically placed in different training tracks.
In today’s evolving threat landscape, many of these platforms are continuously updating their training libraries to include new trends, such as deepfake training and simulations. This ensures while employees are being trained and updated on current procedures and threats, they are also starting to become aware of the growing threat landscape and what is to come.
In terms of solutions in this space, they differentiate in their capabilities and where they sit on the spectrum of security awareness to dynamic risk platforms. Solutions like Adaptive Security, Fable Security, Zepo Intelligence, or Outthink provide the dynamic catalog of awareness training and simulations, with vast capabilities for customizing the modules and including emerging threats. While this is the core of their platform, they are expanding into risk management by providing risk scores and dynamic tracks for users. On the other side, solutions like Living Security are primarily risk management platforms with deep capabilities for assessing risk across an environment and providing different recommendations for remediation, including dynamic awareness training and simulations, along with recommending policy changes.
Human-Layer Detection and Response: Catching the Scam as it Happens
This group of solutions takes a different approach to human risk management. Instead of training employees and holding them responsible for avoiding social engineering attacks, these solutions focus on identifying the tactics and techniques that make up social engineering. In other words, instead of training employees, this method trains software and large language models to detect the attacks. The solutions ingest company policies, procedures, and signals to create a baseline of expected behavior in an organization. From there, they monitor the environment and interactions happening to determine if this is expected behavior or an anomaly. Anomalies can then be addressed by being flagged, blocked, or through remediation recommendations to keep users and the organization safe from social engineering threats.
Solutions in this space vary in their approach. Some solutions, such as Humanix, center on real-time conversational AI and understanding natural-language attack patterns. They monitor interactions across voice chat, email, and service channels to detect attacks through indicators of persuasion, deception, and impersonation. In contrast, other solutions focus less on the semantics of a conversation and more on the infrastructure layer and behavioral signals. Solutions like Imper.ai benchmark signals across network, device, and environment telemetry to understand the risk score of each interaction.
Tying it Together- A Modern Strategy for Social Engineering Defense
In summary, human risk management solutions keep employees safe by continuously assessing the risk of an organization or individual, and providing the resources needed in the moment, whether that be a micro-training, nudges, or stepping in to block an attack attempt.
When designing your defense strategy against social engineering, it’s important to consider HRM as a critical piece in a larger puzzle. While HRM is central for identifying and managing risk, other solutions are important to round out the defense. For example, there are controls on each endpoint (mobile, email, browser, etc.) to detect and block malicious activity before the user engages. Additionally, there are specialized solutions focused on specific types of social engineering attacks. Some monitor brand abuse and impersonation attempts by scanning online assets, social media, and web and mobile apps, to uncover harmful data and impersonations to take down. Others tackle emerging techniques for social engineering, such as deepfakes, by monitoring synthetic voice and video attempts in real time and diverting employees before they act. It’s important to consider all components when evaluating your defenses against social engineering.
Our team recognizes this is a dynamic space with new attack methods and defenses emerging constantly. As such, we are actively monitoring the social engineering defense landscape and creating content around each way to secure your organization. Look out for other blogs surrounding this topic and if you have questions while assessing the landscape, don’t hesitate to reach out to innovation@trace3.com.
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.