The public sector faces a growing threat from AI-powered social engineering, where attackers use sophisticated automation to deceive employees. Traditional "checkbox" compliance training—consisting of annual videos or quizzes—is increasingly insufficient to stop these evolving threats. David Bochsler, a vice president at cybersecurity firm KnowBe4, argues that agencies must shift toward Human Risk Management (HRM), a model that prioritizes individual behavior over generic compliance.

HRM operates on a cycle of identification and assessment, assigning "Human Risk Scores" to employees based on their specific vulnerabilities and roles. This allows for hyper-personalized training; for instance, finance teams learn to spot business email compromise, while senior leadership focuses on "whaling" (targeted attacks on high-level executives). By tailoring interventions to the actual risks faced by different departments, agencies can transform staff from potential liabilities into a resilient defense layer.

The integration of human intuition with machine automation creates a "virtuous feedback loop" for national security. When employees report suspicious emails via automated tools, the intelligence is instantly fed into security orchestration systems to validate and neutralize threats. Research suggests this hybrid approach allows organizations to contain breaches up to 108 days faster than those relying solely on technical filters, significantly reducing the financial and operational impact of cyber incidents.

The public sector faces a growing threat from AI-powered social engineering, where attackers use sophisticated automation to deceive employees. Traditional "checkbox" compliance training—consisting of annual videos or quizzes—is increasingly insufficient to stop these evolving threats. David Bochsler, a vice president at cybersecurity firm KnowBe4, argues that agencies must shift toward Human Risk Management (HRM), a model that prioritizes individual behavior over generic compliance.

HRM operates on a cycle of identification and assessment, assigning "Human Risk Scores" to employees based on their specific vulnerabilities and roles. This allows for hyper-personalized training; for instance, finance teams learn to spot business email compromise, while senior leadership focuses on "whaling" (targeted attacks on high-level executives). By tailoring interventions to the actual risks faced by different departments, agencies can transform staff from potential liabilities into a resilient defense layer.

The integration of human intuition with machine automation creates a "virtuous feedback loop" for national security. When employees report suspicious emails via automated tools, the intelligence is instantly fed into security orchestration systems to validate and neutralize threats. Research suggests this hybrid approach allows organizations to contain breaches up to 108 days faster than those relying solely on technical filters, significantly reducing the financial and operational impact of cyber incidents.