How human risk management fortifies the public sector against email attacks

The 2025 Verizon Data Breach Investigations Report found that more than half of the breaches (60 per cent) involve a human element.

“Many cyberattacks begin with a single employee being deceived by a phishing email, granting attackers the foothold they need to steal data, disrupt services or launch ransomware attacks,” says KnowBe4’s Vice President for Asia-Pacific and Japan, David Bochsler.

KnowBe4 is a cloud-based human risk management (HRM) platform that helps organisations manage the human element of cybersecurity.

With the rise of artificial intelligence (AI)-powered social engineering attacks, stakeholders across the society are looking at governments to lead by example and provide the best practices on governance and security.

For the public sector, the challenge is shifting from punitive, check-the-box training to proactively managing human risks.

Bochsler shares more about what encompasses HRM, as well as how agencies can transform their public officers from a vulnerability to a resilient defence layer through targeted, behavioral-based training.

Beyond checkbox compliance

The checkbox mindset, which entails periodic, compliance-driven videos or quizzes, is no longer enough to secure an agency.

Bochsler highlights how public procurement models tend to favor traditional models like this as they are easy to track despite not actually changing employee behavior.

“In a human risk management model, security moves from a static annual event to a dynamic, data-driven cycle of Identify, Assess, Change, and Trust.

“Rather than treating all employees as a single risk profile, HRM utilises ‘Human Risk Scores’ to understand individual behaviors and vulnerabilities,” he explains.

Taking a data-driven approach with HRM allows agencies to analyse how different teams interact with real-world threats, then personalise the security journeys based on the interactions.

KnowBe4’s research has found that continuous HRM could help reduce human vulnerability from an industry baseline of 33.1 per cent to 4.1 per cent within a year.

Why targeted, behavioral-based training works better

Given the distinct threat vectors faced by different teams across the agency, a data-driven HRM platform allows for tailored interventions.

“Finance teams may be coached on identifying sophisticated business email compromises, while policy and diplomatic staff are trained to recognise high-stakes spear-phishing and social engineering,” Bochsler explains.

The training can also be customised based on seniority levels.

For senior leaders, the training focus shifts to strategic risks like whaling and disinformation. For frontline service officers, there may be a greater focus on data privacy and identity theft.

“By aligning education with the actual risks inherent to a specific government role, agencies ensure that security guidance is practical, memorable, and directly applicable to protecting public services,” he notes.

Due to the increasing unpredictability of threats, Bochsler adds that it is important for employees to not just follow the rules, but develop specific behaviors and habits to protect the specific data and systems they handle daily.

To help employees build these habits, he suggests agencies to consistently implement monthly security awareness training and simulated phishing tests, as well as to make it easy to report threats.

On the latter, he highlights tools like the Phish Alert Button, which allows employees to flag suspicious emails with a single click directly from their inbox.

“By simplifying the reporting process and normalising it through monthly practice, agencies can gather better human intelligence to protect sensitive citizen data and strengthen national resilience,” he summarises.

Combining human intuition with machine automation

According to Bochsler, an effective HRM system ensures that public officers can report human observations, which would then trigger an automated technical response.

For example, when officers report a suspicious email, that intelligence should be instantly validated and fed back into the agency’s security orchestration tools.

Explaining how the human-machine interaction creates a “virtuous feedback loop”, he underlines the importance of the “human layer” to identify threats that may have bypassed the technical filters.

Research by IBM in 2025 has found that organisations that integrate both aspects are able to detect and contain threats up to 108 days faster, while reducing breach costs by an average of US$2.2 million (S$2.8 million).

KnowBe4’s HRM framework also ensures that agencies get an overview of the broader agency’s risk map, allowing security teams to see which teams are the most targeted and the most vigilant.

Once again, taking a data-driven approach to HRM allows for targeted resource allocation.

Finally, leadership support is crucial. It is important for Chief Information Security Officers (CISOs) today to move beyond tracking who “passed” or “failed” the test, to how active threats are reported by employees and the overall risks reduced.

“When leaders across departments emphasise that cybersecurity is part of everyone’s role in protecting public services and citizen data, it sets out a clear expectation and creates a sense of shared accountability,” he explains.

Bochsler highlights the ideal situation achieved through HRM, which is a “culture where every employee understands their role in cybersecurity not only to protect government systems, but also to set the behavioural standard that businesses and citizens across the country are more likely to follow.”