Is FCR a New Human-Centered Approach to Cybersecurity?

One question I often hear is: “What exactly is Federated Cyber-Risk Management (FCR)? Is it a new human-centered cybersecurity approach?” It’s a fair question, especially as the industry increasingly recognizes the importance of the human side of cybersecurity. However, the answer is a bit more nuanced.

Understanding Federated Cyber-Risk Management (FCR)

FCR is not strictly a human-centered cybersecurity methodology, but rather a process-centric approach designed to distribute responsibility for cyber risk management across an entire organization. Instead of centralizing cyber risk within a single team—typically the IT or security team—FCR emphasizes the inclusion and active participation of various stakeholders who have the authority and knowledge over specific resources. This structured inclusion ensures that cybersecurity is not just the domain of a specialized group but a shared responsibility.

The key to FCR is creating a framework where resource owners—those who know the most about specific assets—own the responsibility for managing the risks associated with those assets. This not only improves the overall security posture of the organization but also fosters a more collaborative and resilient approach to cybersecurity.

Human-Centered Cybersecurity vs. Process-Centric Approaches like FCR

While FCR is process-centric, it aligns closely with the principles of human-centered cybersecurity, which emphasizes the design of systems and processes that are intuitive, user-friendly, and aligned with how people naturally think and behave.

• Human-Centered Cybersecurity: This approach focuses on making cybersecurity practices more accessible and engaging, reducing cognitive load, and designing systems that are aligned with human behavior. It’s about understanding how people interact with security measures and making those interactions as seamless as possible.
• Process-Centric Approaches (like FCR): FCR, on the other hand, is about creating a structured process for involving stakeholders in cybersecurity. It’s less about individual usability and more about ensuring that the right people are included in the right processes to manage cyber risks effectively.

The Synergy Between Human-Centered Cybersecurity and FCR

Although FCR is fundamentally a process-centric approach, it greatly benefits from incorporating human-centered principles. This integration enhances the effectiveness of FCR by making cybersecurity practices more approachable for stakeholders who may not have traditionally been involved in these efforts.

• Human-Centered Enhancements: By integrating human-centered design into FCR, organizations can ensure that even non-expert stakeholders find cybersecurity processes approachable and understandable. For example, using clear language in policies and providing easy-to-use tools can make participation less intimidating.
• Behavioral Insights: Understanding how people behave and think is crucial in designing processes that are intuitive and less prone to error. Incorporating these insights into FCR can help create workflows that align with natural human behaviors, reducing the likelihood of mistakes.
• Training and Education: Combining FCR’s structured approach with human-centered training, such as teaching stakeholders to recognize logical fallacies or other social engineering tactics, can significantly enhance engagement and effectiveness. This ensures that everyone in the organization is not only aware of cybersecurity threats but also equipped to respond appropriately.

Practical Applications of Integrated Approaches

The real power of combining human-centered cybersecurity with FCR lies in its practical application. Here are some examples of how these approaches can be integrated in real-world scenarios:

• Onboarding New Stakeholders: When bringing new members into the organization, a human-centered approach can ensure that they understand their role in cybersecurity from day one. FCR can provide the framework for what they need to know and how they should be involved.
• Designing User-Friendly Security Policies: Policies are only effective if they are followed. By applying human-centered design principles, organizations can create policies that are easy to understand and implement, while FCR ensures that these policies are integrated into broader organizational processes.
• Collaborative Risk Assessments: FCR’s process-centric framework can be enhanced with human-centered tools that make risk assessments more interactive and engaging. This can lead to more accurate assessments and greater buy-in from all participants. In fact, through our research, we’ve applied a combination of techniques, including human-centered cybersecurity, to enable participants with no prior experience to complete their first security plans, including risk registers, in under one hour.

Challenges and Opportunities

Integrating human-centered cybersecurity with FCR presents both challenges and opportunities:

• Challenges: One of the main challenges is balancing the structured nature of FCR with the flexibility required for human-centered approaches. Additionally, aligning technical requirements with human factors can be complex, requiring careful consideration of both perspectives.
• Opportunities: On the other hand, this integration presents significant opportunities for innovation. Organizations that successfully merge these approaches can create a more holistic cybersecurity culture—one that is not only more resilient but also more inclusive and adaptable to change.

Conclusion

Federated Cyber-Risk Management (FCR) is a powerful approach to cybersecurity that distributes responsibility across an organization, making it a collective effort. While it is primarily a process-centric methodology, integrating human-centered concerns can greatly enhance its effectiveness. By doing so, organizations can build a more resilient and inclusive cybersecurity culture, where every stakeholder is empowered to contribute meaningfully to protecting the organization.

In today’s evolving cybersecurity landscape, where threats are becoming more sophisticated, this combined approach is not just beneficial—it’s essential. By embracing both the structured processes of FCR and the intuitive design of human-centered cybersecurity, organizations can ensure they are better prepared for whatever challenges lie ahead.

About the Author

Sonya Lowry is the creator of Federated Cyber-Risk Management (FCR), a revolutionary approach that transforms how organizations handle cybersecurity by fostering a culture of shared responsibility. Sonya’s work centers on empowering organizations to move beyond traditional, centralized security models by engaging every stakeholder in managing cyber risks and making cybersecurity a collective effort.

With a deep conviction that cybersecurity is as much about people as it is about technology, Sonya helps organizations implement FCR to build security-engaged cultures. In these environments, every employee understands the risks and is equipped with the knowledge and authority to take action, ensuring a more resilient and proactive defense against threats.

Sonya’s innovative approach to cybersecurity is built on over two decades of experience in information technology, data analytics, and risk management, including significant leadership roles in both the private and public sectors. However, her recent focus on integrating human-centered strategies with technical solutions through FCR is what truly sets her apart as a leader in the field. Sonya is dedicated to reshaping the cybersecurity landscape by ensuring that organizations are not only protected but also empowered to adapt and thrive in the face of ever-evolving threats.