Human Risk Analyst

Description

We are seeking a proactive Human Risk Analyst to join our security team with a focus on understanding, assessing, and mitigating security risks stemming from human behavior. This role combines behavioral psychology, security awareness, and data analytics to reduce organizational risk through education, simulation, and strategic intervention. The ideal candidate will develop comprehensive security awareness programs, conduct social engineering assessments, and foster a strong security culture across the organization.

Core Responsibilities:

Security Awareness & Training Programs:

• Design, develop, and implement comprehensive security awareness and training programs tailored to different roles, departments, and risk profiles across the organization
• Create engaging, interactive training content including videos, e-learning modules, newsletters, posters, and gamification elements to drive employee participation
• Leverage security awareness platforms (such as KnowBe4, Proofpoint, or similar) to deliver training campaigns and track completion and effectiveness
• Measure training effectiveness through metrics including completion rates, knowledge retention assessments, and behavioral change indicators
• Continuously refine training content based on emerging threats, incident trends, and feedback from stakeholders

Social Engineering Testing & Simulation:

• Plan and execute simulated phishing campaigns, vishing (voice phishing), smishing (SMS phishing), and other social engineering exercises to test employee awareness and resilience
• Design realistic attack scenarios that reflect current threat actor tactics, techniques, and procedures
• Analyze simulation results to identify high-risk users, departments, and behavioral patterns that require targeted intervention
• Provide constructive feedback and remedial training to employees who fall victim to simulations
• Track improvement trends over time and report on the organization’s resilience to social engineering attacks

Human Risk Assessment & Analysis:

• Conduct comprehensive risk assessments focused on human factors, behavioral vulnerabilities, and organizational culture
• Utilize risk assessment frameworks (NIST Risk Management Framework, ISO 31000, FAIR) to quantify and prioritize human-related security risks
• Identify high-risk behaviors such as poor password hygiene, unauthorized software usage, data handling violations, and policy non-compliance
• Develop risk treatment plans and mitigation strategies tailored to specific behavioral risks

Behavioral Analytics & Monitoring:

• Analyze user behavior patterns and activity logs to identify anomalies that may indicate insider threats, compromised accounts, or policy violations
• Collaborate with security operations teams to investigate suspicious user activities and potential security incidents
• Utilize User and Entity Behavior Analytics (UEBA) tools and techniques to establish behavioral baselines and detect deviations
• Monitor trends in security-related user behaviors such as security tool bypass attempts, repeated policy violations, or risky access patterns

Insider Threat Program Support:

• Support insider threat detection and prevention initiatives by identifying behavioral indicators of potential malicious or negligent insider activity
• Collaborate with HR, legal, and security teams on insider threat investigations while maintaining appropriate confidentiality and compliance
• Develop strategies to reduce insider risk through policy, process improvements, and technological controls

Security Culture Development:

• Champion a positive security culture by making security awareness engaging, accessible, and relevant to employees’ daily work
• Partner with department leaders and executives to integrate security messaging into business operations and communications
• Organize security awareness events such as Cybersecurity Awareness Month activities, lunch-and-learns, and security challenges
• Serve as a visible security advocate and resource for employees seeking guidance on security concerns

Metrics, Reporting & Communication:

• Establish and track key performance indicators (KPIs) and key risk indicators (KRIs) related to human risk and security awareness
• Prepare regular reports and executive dashboards on security awareness program effectiveness, phishing simulation results, and risk trends
• Present findings and recommendations to leadership, translating complex security concepts into business impact and actionable insights
• Communicate security policies, procedures, and best practices clearly to diverse audiences across the organization

Policy & Compliance:

• Ensure security awareness and training programs meet regulatory and compliance requirements (HIPAA, SOC 2, PCI-DSS, GDPR, etc.)
• Collaborate with compliance teams to address human-related risks in audit findings and assessments
• Maintain documentation of training activities, acknowledgments, and compliance evidence for audit purposes
• Stay current with data privacy regulations and their implications for employee monitoring and training

Cloud Security Awareness:

• Develop training content specific to cloud security risks, secure cloud usage, and AWS best practices for end users
• Educate employees on cloud data protection, appropriate use of cloud services, and shadow IT risks
• Support secure adoption of cloud technologies through user education and guidance

Required Qualifications:

Experience:

• 3+ years of experience in cybersecurity, security awareness, risk management, human factors security, or related fields
• Proven track record of developing and implementing successful security awareness and training programs
• Hands-on experience managing human-related security risks and conducting social engineering assessments
• Experience leading or participating in projects that measurably reduced human-related security risks
• 5+ years of experience in IT security with exposure to cloud environments and security architectures

Technical Expertise:

Security Awareness & Training:

• Expertise in designing, implementing, and evaluating effective security awareness programs using adult learning principles and behavior change models
• Proficiency with security awareness and training platforms such as KnowBe4, Proofpoint Security Awareness, Infosec IQ, or similar solutions
• Experience with Learning Management Systems (LMS) and content authoring tools
• Ability to create compelling training content in various formats (presentations, videos, infographics, interactive modules)

Social Engineering & Attack Simulation:

• Deep understanding of social engineering techniques and attack vectors including phishing, spear phishing, whaling, pretexting, baiting, quid pro quo, and tailgating
• Practical experience designing and conducting realistic social engineering simulations and red team exercises
• Knowledge of current phishing trends, credential harvesting techniques, and business email compromise (BEC) tactics
• Ability to craft convincing social engineering scenarios while maintaining ethical standards

Risk Assessment & Management:

• Strong knowledge of risk assessment methodologies and frameworks including NIST Risk Management Framework, NIST 800-30, ISO 31000, and FAIR (Factor Analysis of Information Risk)
• Experience conducting qualitative and quantitative risk assessments with focus on human factors
• Understanding of risk registers, risk matrices, and risk treatment strategies
• Familiarity with compliance frameworks such as SOC 2, HIPAA, PCI-DSS, and GDPR

Behavioral Analytics:

• Understanding of User and Entity Behavior Analytics (UEBA) concepts and technologies
• Familiarity with tools and techniques for monitoring user activity and detecting anomalies (SIEM, DLP, CASB, IAM analytics)
• Ability to analyze behavioral data to identify patterns, trends, and outliers indicating security risks
• Knowledge of statistical analysis methods for behavioral pattern recognition

Psychology & Behavioral Science:

• Understanding of psychological principles related to human behavior, decision-making, cognitive biases, and risk perception
• Knowledge of behavior change theories and techniques (such as persuasion, nudging, gamification, and positive reinforcement)
• Ability to apply behavioral science concepts to security awareness and risk mitigation strategies

Cloud Security (AWS):

• Working knowledge of AWS Cloud Platform and cloud security best practices
• Familiarity with AWS security services including Security Hub, GuardDuty, Inspector, CloudTrail, IAM, Cognito, and KMS
• Understanding of cloud-specific security risks and user responsibilities in shared responsibility models
• Experience with cloud security technologies including firewalls, VPNs, IDS/IPS, WAF, SIEM, and endpoint security solutions

Technical Security Knowledge:

• General understanding of cybersecurity principles, common vulnerabilities, and attack methods
• Familiarity with security technologies and concepts (encryption, authentication, access controls, network security)
• Basic knowledge of containerization, CI/CD pipelines, Infrastructure-as-Code (IaC), and DevSecOps practices
• Understanding of data classification, data loss prevention, and information protection controls

Compliance & Privacy:

• Strong knowledge of data privacy regulations (GDPR, CCPA, HIPAA) and their impact on employee monitoring and training
• Experience ensuring compliance with legal and regulatory requirements related to human risk management
• Understanding of employee privacy rights and ethical considerations in security monitoring

Preferred Qualifications:

Certifications:

• CISSP (Certified Information Systems Security Professional)
• Security+ or SSCP (Systems Security Certified Practitioner)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• Certified Information Privacy Professional (CIPP)
• Human Factors in Cybersecurity Certificate
• Training/instructional design certifications

Additional Skills:

• Experience with data analysis tools (Excel, Tableau, Power BI, SQL) for metrics and reporting
• Knowledge of instructional design methodologies (ADDIE, SAM, Bloom’s Taxonomy)
• Familiarity with graphic design tools (Canva, Adobe Creative Suite) for creating engaging content
• Understanding of insider threat programs and frameworks (CERT Insider Threat Framework)
• Experience with security culture assessment tools and methodologies
• Background in psychology, behavioral science, education, or organizational development
• Public speaking and presentation experience

Key Competencies:

• Communication Excellence: Outstanding written and verbal communication skills with ability to create compelling narratives and explain complex security concepts in accessible, engaging ways to diverse audiences from technical staff to executives
• Interpersonal Skills: Strong relationship-building abilities with proven track record of working effectively with employees at all organizational levels, fostering trust and collaboration
• Creativity: Innovative thinking to develop fresh, engaging approaches to security awareness that break through information overload and drive behavior change
• Analytical Mindset: Strong analytical and critical thinking skills to assess behavioral risks, interpret data, identify trends, and develop evidence-based mitigation strategies
• Empathy & Understanding: Ability to understand human motivations, concerns, and perspectives while balancing security requirements with user experience
• Influence & Persuasion: Skilled at influencing behavior and driving cultural change through positive messaging, education, and strategic communication
• Project Management: Excellent organizational and project management skills to manage multiple concurrent awareness initiatives, campaigns, and assessments
• Attention to Detail: Meticulous approach to designing realistic simulations, analyzing results, and tracking metrics
• Adaptability: Flexible and responsive to evolving threats, organizational changes, and stakeholder needs
• Ethical Judgment: Strong ethical compass and integrity, particularly when conducting social engineering exercises and handling sensitive behavioral information
• Continuous Learning: Passion for staying current with social engineering tactics, security awareness best practices, and behavioral psychology research
• Results-Oriented: Focus on measurable outcomes and continuous improvement in reducing human-related security risks

What We Offer:

• Opportunity to make a tangible impact on organizational security culture and risk reduction
• Creative freedom to design innovative and engaging security awareness programs
• Collaborative environment with security, IT, HR, and business teams
• Professional development including training, certifications, and conference attendance
• Exposure to cutting-edge behavioral analytics and security awareness technologies
• Meaningful work protecting the organization and its employees from evolving cyber threats

Join our team and help build a security-conscious culture where employees become our strongest line of defense against cyber threats.