Is FCR a New Human-Centered Approach to Cybersecurity?

Sonya Lowry • August 13, 2024

One question I often hear is: “What exactly is Federated Cyber-Risk Management (FCR)? Is it a new human-centered cybersecurity approach?” It’s a fair question, especially as the industry increasingly recognizes the importance of the human side of cybersecurity. However, the answer is a bit more nuanced.


Understanding Federated Cyber-Risk Management (FCR)


FCR is not strictly a human-centered cybersecurity methodology, but rather a process-centric approach designed to distribute responsibility for cyber risk management across an entire organization. Instead of centralizing cyber risk within a single team—typically the IT or security team—FCR emphasizes the inclusion and active participation of various stakeholders who have the authority and knowledge over specific resources. This structured inclusion ensures that cybersecurity is not just the domain of a specialized group but a shared responsibility.


The key to FCR is creating a framework where resource owners—those who know the most about specific assets—own the responsibility for managing the risks associated with those assets. This not only improves the overall security posture of the organization but also fosters a more collaborative and resilient approach to cybersecurity.


Human-Centered Cybersecurity vs. Process-Centric Approaches like FCR


While FCR is process-centric, it aligns closely with the principles of human-centered cybersecurity, which emphasizes the design of systems and processes that are intuitive, user-friendly, and aligned with how people naturally think and behave.

  • Human-Centered Cybersecurity: This approach focuses on making cybersecurity practices more accessible and engaging, reducing cognitive load, and designing systems that are aligned with human behavior. It’s about understanding how people interact with security measures and making those interactions as seamless as possible.
  • Process-Centric Approaches (like FCR): FCR, on the other hand, is about creating a structured process for involving stakeholders in cybersecurity. It’s less about individual usability and more about ensuring that the right people are included in the right processes to manage cyber risks effectively.



The Synergy Between Human-Centered Cybersecurity and FCR


Although FCR is fundamentally a process-centric approach, it greatly benefits from incorporating human-centered principles. This integration enhances the effectiveness of FCR by making cybersecurity practices more approachable for stakeholders who may not have traditionally been involved in these efforts.

  • Human-Centered Enhancements: By integrating human-centered design into FCR, organizations can ensure that even non-expert stakeholders find cybersecurity processes approachable and understandable. For example, using clear language in policies and providing easy-to-use tools can make participation less intimidating.
  • Behavioral Insights: Understanding how people behave and think is crucial in designing processes that are intuitive and less prone to error. Incorporating these insights into FCR can help create workflows that align with natural human behaviors, reducing the likelihood of mistakes.
  • Training and Education: Combining FCR’s structured approach with human-centered training, such as teaching stakeholders to recognize logical fallacies or other social engineering tactics, can significantly enhance engagement and effectiveness. This ensures that everyone in the organization is not only aware of cybersecurity threats but also equipped to respond appropriately.



Practical Applications of Integrated Approaches


The real power of combining human-centered cybersecurity with FCR lies in its practical application. Here are some examples of how these approaches can be integrated in real-world scenarios:

  • Onboarding New Stakeholders: When bringing new members into the organization, a human-centered approach can ensure that they understand their role in cybersecurity from day one. FCR can provide the framework for what they need to know and how they should be involved.
  • Designing User-Friendly Security Policies: Policies are only effective if they are followed. By applying human-centered design principles, organizations can create policies that are easy to understand and implement, while FCR ensures that these policies are integrated into broader organizational processes.
  • Collaborative Risk Assessments: FCR’s process-centric framework can be enhanced with human-centered tools that make risk assessments more interactive and engaging. This can lead to more accurate assessments and greater buy-in from all participants. In fact, through our research, we’ve applied a combination of techniques, including human-centered cybersecurity, to enable participants with no prior experience to complete their first security plans, including risk registers, in under one hour.



Challenges and Opportunities


Integrating human-centered cybersecurity with FCR presents both challenges and opportunities:

  • Challenges: One of the main challenges is balancing the structured nature of FCR with the flexibility required for human-centered approaches. Additionally, aligning technical requirements with human factors can be complex, requiring careful consideration of both perspectives.
  • Opportunities: On the other hand, this integration presents significant opportunities for innovation. Organizations that successfully merge these approaches can create a more holistic cybersecurity culture—one that is not only more resilient but also more inclusive and adaptable to change.


Conclusion


Federated Cyber-Risk Management (FCR) is a powerful approach to cybersecurity that distributes responsibility across an organization, making it a collective effort. While it is primarily a process-centric methodology, integrating human-centered concerns can greatly enhance its effectiveness. By doing so, organizations can build a more resilient and inclusive cybersecurity culture, where every stakeholder is empowered to contribute meaningfully to protecting the organization.


In today’s evolving cybersecurity landscape, where threats are becoming more sophisticated, this combined approach is not just beneficial—it’s essential. By embracing both the structured processes of FCR and the intuitive design of human-centered cybersecurity, organizations can ensure they are better prepared for whatever challenges lie ahead.


About the Author


Sonya Lowry is the creator of Federated Cyber-Risk Management (FCR), a revolutionary approach that transforms how organizations handle cybersecurity by fostering a culture of shared responsibility. Sonya’s work centers on empowering organizations to move beyond traditional, centralized security models by engaging every stakeholder in managing cyber risks and making cybersecurity a collective effort.


With a deep conviction that cybersecurity is as much about people as it is about technology, Sonya helps organizations implement FCR to build security-engaged cultures. In these environments, every employee understands the risks and is equipped with the knowledge and authority to take action, ensuring a more resilient and proactive defense against threats.


Sonya’s innovative approach to cybersecurity is built on over two decades of experience in information technology, data analytics, and risk management, including significant leadership roles in both the private and public sectors. However, her recent focus on integrating human-centered strategies with technical solutions through FCR is what truly sets her apart as a leader in the field. Sonya is dedicated to reshaping the cybersecurity landscape by ensuring that organizations are not only protected but also empowered to adapt and thrive in the face of ever-evolving threats.


The Last Mile in Cybersecurity: Next Steps in Building Resilience

The Last Mile in Cybersecurity: Next Steps in Building Resilience

By Sonya Lowry October 12, 2024
In cybersecurity, the "last mile" represents the critical connection between technical controls and the people who use them every day. Without engaging frontline workers and providing them with the right tools and training, even the most advanced security measures can fall short. In this post, Sonya Lowry explains why human involvement is essential to closing the cybersecurity gap and how the Sibylity platform empowers every employee—technical or not—to be a vital part of your organization's defense strategy. Learn how to transform your last mile from a vulnerability into a strength through shared responsibility and accessible cybersecurity solutions.
The Cybersecurity Fallacy: How Your Approach Is Putting You at Risk

The Cybersecurity Fallacy: How Your Approach Is Putting You at Risk

By Sonya Lowry October 3, 2024
The traditional, centralized approach to cybersecurity is no longer sufficient for today’s complex threat landscape. Relying solely on IT-driven security measures leaves critical gaps that can expose organizations to significant risks. In this post, Sonya Lowry explains why a new, distributed model—Federated Cyber-Risk Management (FCR)—is essential for empowering every department to take ownership of their cybersecurity responsibilities. By integrating FCR, organizations can shift from reactive, IT-focused security to a proactive, whole-organization approach that balances centralized governance with shared responsibility across all teams.
Anatomy of a Rhysida Ransomware Group Attack: How to Avert and Mitigate Ransomware Attacks with a Ba

Anatomy of a Rhysida Ransomware Group Attack: How to Avert and Mitigate Ransomware Attacks with a Balanced Approach

By Sonya Lowry August 10, 2024
The emergence of the Rhysida Ransomware Group in 2023 has elevated the ransomware threat landscape, as evidenced by their high-profile attacks on large organizations like New Jersey City University. In this post, Sonya Lowry breaks down the anatomy of a Rhysida ransomware attack and explains how their sophisticated techniques, including AI-enhanced phishing and double extortion, demand more than technical defenses. Discover how a whole-organization approach—integrating both technical and human-centered strategies—can help your organization prevent, detect, and respond to such attacks. From advanced monitoring tools to empowering employees with critical thinking, learn how Federated Cyber-Risk Management (FCR) builds resilience in the face of evolving ransomware threats.
Propaganda’s Silver Lining: How It Prepares Us for the AI-Driven Social Engineering Threat

Propaganda’s Silver Lining: How It Prepares Us for the AI-Driven Social Engineering Threat

By Sonya Lowry August 9, 2024
In the new era of social engineering, attackers aren’t just relying on malicious code—they’re using psychology to manipulate human behavior. With AI generating flawless phishing emails and social media posts, traditional red flags like typos and strange grammar no longer apply. In this post, Sonya Lowry explores how logical fallacies are being used by cybercriminals to trick even the most cautious individuals and organizations. By understanding and recognizing these psychological traps, you can defend against modern social engineering tactics and strengthen your organization's cybersecurity posture through Federated Cyber-Risk Management (FCR).
Bridging the Gaps in Your Cyber Risk Management Strategy

Bridging the Gaps in Your Cyber Risk Management Strategy

By Sonya Lowry August 9, 2024
Effective cyber risk management requires more than technical controls. While tools like SIEMs, vulnerability scanners, and EDR solutions help address technical vulnerabilities, they often leave critical gaps in administrative controls, which can lead to human-enabled breaches. In this article, Sonya Lowry explores the limitations of traditional risk management programs and introduces Federated Cyber-Risk Management (FCR), a transformative approach that distributes cyber risk ownership across the organization. Learn how Sibylity by SibylSoft provides continuous oversight of administrative controls, closing the most overlooked gaps in cybersecurity and fostering a culture of shared responsibility.
Parable of the elephant and the blind men

Embracing Shared Responsibility in Cybersecurity

By Sonya Lowry July 31, 2024
In today's complex cybersecurity landscape, organizations need more than traditional strategies to protect against growing threats. Drawing from over two decades of experience and insights from Total Quality Management (TQM) and NSF-funded projects, Sonya Lowry introduces Federated Cyber-Risk Management (FCR). This revolutionary approach shifts cybersecurity from a siloed responsibility to a shared, organizational-wide commitment. FCR fosters security-engaged cultures, empowering every employee to take part in cybersecurity efforts. Discover how FCR can help your organization address cybersecurity challenges, overcome skill shortages, and build resilience through collaborative, cross-functional participation.
Reimagining Cybersecurity: Insights from ProPublica's Investigation into the SolarWinds Breach

Reimagining Cybersecurity: Insights from ProPublica's Investigation into the SolarWinds Breach

By Sonya Lowry June 13, 2024
In the wake of the SolarWinds breach, one of the most sophisticated cyber-attacks in history, it has become clear that cybersecurity cannot be siloed. A recent ProPublica investigation revealed that the breach was enabled by a vulnerability in a Microsoft component, shedding light on the critical need for organizations to rethink their approach to cybersecurity. This post explores the parallels between the transformation in quality management and the necessary shift in cybersecurity, introducing Sibylity by SibylSoft—a solution designed to foster shared responsibility for cyber-risk across all stakeholders.