Advertisements

Managing Human Risk: GRC, Compliance & Security Culture

Advertisements
Master insider threats, security awareness, ISO 27001, NIST CSF, GDPR & behavioral psychology to reduce human risk
4
4/5
(1) Ratings
38 students
Created by Armaan Sidana
Advertisements

What you'll learn

  • Build a Human Risk Management program using GRC frameworks mapped to ISO 27001, NIST CSF, SOC 2, GDPR, PCI-DSS, and HIPAA
  • Design and measure security awareness programs using behavioral psychology — reducing click rates, not just ticking compliance boxes
  • Implement an insider threat program with UEBA behavioral indicators, legal guardrails, and forensic evidence preservation protocols
  • Run phishing simulations, analyze results, and use failure data to drive targeted training decisions for high-risk employee segments
  • Respond to human-caused incidents — phishing compromise, insider theft, BEC wire fraud — using specialized IR playbooks
  • Calculate Human Risk Scores and build executive dashboards showing risk reduction in monetary terms for board-level reporting
  • Write security policies employees actually read and follow using plain language, visual hierarchy, and behavioral design principles
  • Apply breach notification rules correctly — GDPR 72-hour clock, HIPAA 60-day rule — and manage regulatory obligations post-incident
This course includes:
1.5 total hours on-demand video
0 articles
0 downloadable resources
13 lessons
Full lifetime access
Access on mobile and TV
Certificate of completion
Advertisements

Course content

Requirements

  • No GRC, compliance, or security awareness experience required — the course builds everything from the ground up
  • Basic familiarity with cybersecurity concepts (what a breach is, what phishing means) is helpful but not essential
  • No technical background needed — this course is equally relevant for security managers, HR, legal, compliance, and IT professionals
  • An open mind toward behavioral science — this course explains the human side of security, not just tools and frameworks

Description

Are you ready to tackle the #1 cause of security breaches — human behavior?

82% of all data breaches involve a human element. Phishing, insider threats, social engineering, accidental data exposure — no firewall stops them. The only defense is a structured, measurable Human Risk Management program built on behavioral science, GRC frameworks, and compliance controls.

This course gives you the complete system — from the psychology of why employees make security mistakes to building an ISO 27001-aligned GRC framework, running phishing simulations, detecting insider threats, and measuring risk reduction with executive-ready dashboards.

What Makes Human Risk Different?

Technical controls assume threats come from outside. Human risk lives inside — in the employee who clicks a phishing link, the contractor who exfiltrates data, the manager who approves a fraudulent wire transfer. Traditional security programs treat this as a training problem. This course shows you it is a systems problem — and gives you the systems to solve it.

What You Will Learn

– Understand the psychology of security behavior — cognitive biases, dual-process thinking, habit loops, and security fatigue that make employees vulnerable

– Build a GRC framework (Governance, Risk & Compliance) that specifically addresses human risk alongside technical controls

– Map human risk controls to ISO 27001, NIST CSF, SOC 2, GDPR, PCI-DSS, and HIPAA requirements

– Design and measure a security awareness program that changes real behavior — not just checkbox compliance

– Implement an insider threat program with behavioral indicators, UEBA tools, and legal guardrails

– Run targeted phishing simulations and use failure data to drive training decisions

– Build a security culture through champions programs, leadership engagement, and communication strategies

– Define KPIs, dashboards, and executive reports that demonstrate risk reduction in monetary terms

– Develop security policies that employees actually read, understand, and follow

– Respond to human-caused incidents — phishing compromise, insider data theft, BEC, data mishandling — with targeted IR playbooks

– Understand breach notification obligations — GDPR 72-hour clock, HIPAA 60-day rule, US state law variations

– Conduct root cause analysis on human-caused incidents that produces systemic improvements, not just blame

Practical Tools and Templates

– Security awareness program design framework — needs assessment, content mapping, delivery channels, measurement

– Phishing simulation metrics — click rate, report rate, repeat offender tracking, simulation-to-training pipeline

– Insider threat behavioral indicators checklist — technical and behavioral signals, UEBA alert thresholds

– Human Risk Score formula — aggregate behavioral, training, and incident data into a per-employee risk score

– Policy writing template — plain language, visual hierarchy, acknowledgement tracking

– IR playbook templates — for phishing compromise, insider theft, BEC wire fraud, data mishandling

– Executive dashboard KPIs — Mean Time to Detect, training completion rates, click rate trends, incident reduction %

Course Curriculum — 13 Modules

– Module 0: Welcome & Course Overview — instructor background, learning objectives, course structure

– Module 1: The Human Risk Landscape — breach statistics, why human risk dominates, the cost of inaction

– Module 2: Psychology of Security Behavior — cognitive biases, System 1 vs System 2 thinking, habit loops, social engineering psychology

– Module 3: GRC Fundamentals — governance structures, risk appetite, risk registers, control frameworks, maturity models

– Module 4: Compliance Frameworks — ISO 27001 Annex A, NIST CSF, SOC 2 Trust Services Criteria, GDPR, PCI-DSS, HIPAA

– Module 5: Security Awareness Program Design — needs assessment, content strategy, delivery channels, gamification, measurement

– Module 6: Social Engineering & Phishing Defense — attack taxonomy, simulation design, metrics, targeted training

– Module 7: Insider Threat Management — threat typology, behavioral indicators, UEBA, legal considerations, investigation protocol

– Module 8: Building Security Culture — culture measurement, champions program, leadership engagement, communication strategy

– Module 9: Risk Metrics & Measurement — Human Risk Score, KPI frameworks, dashboards, board reporting, ROI calculation

– Module 10: Policy Development & Enforcement — policy writing, plain language, acknowledgement, enforcement without culture damage

– Module 11: Incident Response for Human Causes — PICERL for human incidents, forensic preservation, breach notification obligations

– Module 12: Wrap-Up & Certification Path — program design blueprint, CISM/CRISC/CISA paths, 30/60/90 day action plan

Compliance Framework Coverage

–  ISO 27001:2022 — Annex A human-facing controls (A.6, A.7, A.8)

–  NIST CSF 2.0 — Govern, Identify, Protect (PR AT awareness and training)

–  SOC 2 — CC1 (Common Criteria) people and culture controls

–  GDPR — Article 32 security of processing, 72-hour breach notification, data minimisation

–  PCI-DSS v4.0 — Requirement 12 (security policy) and Requirement 6 (secure development)

–  HIPAA — Security Rule §164.308 administrative safeguards, workforce training requirements

Who This Course Is For

– Security managers and CISOs who need a repeatable system for reducing human risk across the organisation

– GRC professionals building or maturing a compliance program that addresses the human element

– HR and L&D professionals responsible for security awareness training programs

– Security awareness practitioners who want behavioral science-backed methods, not just phishing click rates

– IT and security generalists who want to move into GRC, risk management, or security culture roles

– Compliance officers managing ISO 27001, SOC 2, GDPR, HIPAA, or PCI-DSS audit requirements

– Anyone preparing for CISM, CRISC, CISA, or CISSP — this course maps directly to exam domains

Requirements

– No prior GRC or compliance experience required — the course starts from fundamentals

– Basic understanding of cybersecurity concepts is helpful but not essential

– Relevant for both technical and non-technical security professionals

Enrol now and build the human firewall your organisation actually needs.

Who this course is for:

  • Security managers and CISOs who need a repeatable, measurable system for reducing human-caused incidents across their organisation
  • GRC and compliance professionals managing ISO 27001, SOC 2, GDPR, HIPAA, or PCI-DSS audits that include workforce security controls
  • HR, L&D, and security awareness practitioners who want behavioral science-backed methods beyond phishing click rate tracking
  • Anyone preparing for CISM, CRISC, CISA, or CISSP certifications — this course maps directly to the human risk and GRC exam domains
Advertisements
116149DAA668E0D6E3CF
Advertisements
Advertisements
Free Online Courses with Certificates
Logo
Register New Account