CISOs stop chasing vulnerabilities and start managing human risk – Help Net Security


Published on: 2025-09-10

Intelligence Report: CISOs stop chasing vulnerabilities and start managing human risk – Help Net Security

1. BLUF (Bottom Line Up Front)

The strategic judgment suggests a shift in cybersecurity focus from technical vulnerabilities to human risk management. The hypothesis that organizations are inadequately prepared to handle human-centric threats is better supported. Confidence level: Moderate. Recommended action includes enhancing training programs and adopting comprehensive monitoring of communication channels.

2. Competing Hypotheses

1. Organizations are shifting focus from technical vulnerabilities to managing human risk, but are still unprepared to effectively address these threats due to inadequate tools and training.
2. Organizations have successfully adapted to managing human risk, and the perceived unpreparedness is overstated, with current measures being sufficient to mitigate threats.

Using Bayesian Scenario Modeling, the first hypothesis is more likely due to the prevalence of incidents originating from user behavior and the lack of confidence in employee threat detection capabilities as reported in the survey.

3. Key Assumptions and Red Flags

– Assumptions include the belief that human behavior is a more significant threat vector than technical vulnerabilities.
– Potential cognitive bias may arise from over-reliance on survey data without considering external validation.
– Red flags include the lack of detailed data on the effectiveness of current training programs and the potential underreporting of successful threat mitigations.

4. Implications and Strategic Risks

The shift towards human risk management implies a need for more sophisticated training and monitoring systems. Failure to address this could lead to increased breaches through social engineering and insider threats. Economically, this may result in higher costs for incident response and damage control. Psychologically, it could erode trust within organizations if internal threats are not adequately managed.

5. Recommendations and Outlook

  • Enhance employee training programs with personalized and role-specific simulations to improve threat detection capabilities.
  • Implement comprehensive monitoring of encrypted and informal communication channels to detect potential threats early.
  • Scenario-based projections:
    • Best: Organizations effectively adapt, reducing breach incidents significantly.
    • Worst: Continued focus on technical vulnerabilities leads to increased human-centric breaches.
    • Most likely: Gradual improvement in managing human risk, with some initial setbacks.

6. Key Individuals and Entities

David Dellapelle, CEO of Dune Security, is a key individual mentioned in the context of the survey and its findings.

7. Thematic Tags

national security threats, cybersecurity, counter-terrorism, regional focus

CISOs stop chasing vulnerabilities and start managing human risk - Help Net Security - Image 1

CISOs stop chasing vulnerabilities and start managing human risk - Help Net Security - Image 2

CISOs stop chasing vulnerabilities and start managing human risk - Help Net Security - Image 3

CISOs stop chasing vulnerabilities and start managing human risk - Help Net Security - Image 4