Security awareness is a thing of the past. Rather, the term and what it stands for are things of the past. It just doesn’t cover the actual challenge organizations need to address. We need to be talking about Human Risk. At least, that’s what Perry Carpenter, Chief Human Risk Management Strategist at KnowBe4, thinks we should do. We were happy to oblige and learn more about it and ask him all kinds of questions about it too.
Subscribe to Techzine Talks on Tour and listen to our other episodes via Spotify, Apple , YouTube or another service of your choice.
When Carpenter says “awareness doesn’t change behavior,” he’s not being controversial. He’s sharing an insight that has reshaped how security professionals approach human risk. We meet him at RSAC Conference in San Francisco, where we discuss why we must move beyond traditional security awareness toward a comprehensive approach to human behavior.
Drawing from over a decade of experience, Carpenter challenges the notion that humans are the “weakest link” in security. Instead, he positions people as “a critical layer within the security stack”. It’s a layer that deserves proper support rather than blame when things go wrong. When a phishing attack succeeds, it means multiple technical controls have already failed, from secure email gateways to endpoint protection. The problem isn’t human weakness but insufficient defense-in-depth.
Impact of AI on Human Risk
This being 2025, we talk about AI too of course. We examine how AI is transforming the threat landscape, specifically around Human Risk Management. While deepfakes and AI-generated content grab headlines, Carpenter emphasizes that we should continue to focus on the underlying psychology: “Every deceptive attack is a narrative attack” designed to manipulate emotions and beliefs. The difference now is scale and personalization. Attackers can create “individualized cognitive malware” targeting specific psychological vulnerabilities of each victim.
Looking toward the future, we discuss with Carpenter how agentic AI will transform both offense and defense in cybersecurity. These AI systems, functioning like team members with specialized capabilities, promise to deliver just-in-time training and personalized security guidance. However, they also introduce new risks. That is, AI agents themselves can be manipulated, compromised, or turned into insider threats. Organizations will need thoughtful control mechanisms and safety valves to navigate this new frontier.
This discussion is not only meant to warn security leaders, or a vision of a very bleak future. It also aims to provide them with a roadmap and some food for thought to avert such a bleak future. By combining technical controls with behavioral science, organizations can build more resilient security cultures that recognize human complexity without sacrificing protection. Listen now to get insights into how your security program must evolve to address the full spectrum of human risk, also when it comes to AI.
Techzine Talks on Tour: season two
We started Techzine Talks on Tour in May of 2024, with the goal of doing at least one episode every two weeks. After 25 episodes in 2024 we were close enough to that target for us to call the first season a good start. That’s what it is, a start, because we’re not done yet. We continue with a second season, with the goal of growing our reach even further. We will once again try and serve up a fresh new episode of Techzine Talks every two weeks or faster.
A big thank you to the people who found us in 2024 already. We hope you continue to listen to Techzine Talks on Tour in 2025. If this is your first encounter with our podcast, there’s much more to come! We hope you enjoy this episode.
Where to find Techzine Talks on Tour?
Techzine Talks on Tour is available on all the well-known platforms. So you can find it on Spotify, Apple Podcasts and YouTube for example. Just search for Techzine Talks on Tour in your favorite podcast app.
Previous episodes of Techzine Talks on Tour:
- Three decades of Check Point (and cybersecurity): a conversation with Gil Shwed
- MuleSoft meets AI: Powering the Agentforce revolution
- AI without ethics will never truly serve humanity
- Cisco wants a (big) piece of the AI pie and doubles down on compute
- After SASE and Unified SASE, there’s Sovereign SASE: what is that?
Get in touch
We hope you like this new podcast series. If so, please let us know. If you have suggestions on how we can improve, we would like to hear those too. We’re also open to suggestions around specific topics, or specific people that want to appear in an episode of Techzine Talks on Tour. You can find both Coen van Eenbergen and Sander Almekinders on LinkedIn, or you can send an email to info@techzine.eu.