Introduction
Human Cyber Risk Management (HCRM) focuses on understanding and addressing the behaviours, attitudes, and cultural factors that influence security outcomes. Unlike patching a technical system, influencing people requires careful design, tailored messaging, and context-aware interventions.
Generative AI (Gen AI) is emerging as a powerful enabler in this field. Acting as an adaptive co-pilot, it can accelerate intervention design, behavioural diagnostics, and communication tailoring, while freeing practitioners to focus on strategy, ethics, and leadership.
This article explores how Gen AI can support HCRM, with a focus on intervention design, and provides 10 validated prompts that practitioners can adapt for their organisation’s specific context.
How Gen AI Supports HCRM
1. Intervention Design. AI can map insecure behaviours to the COM-B model (Capability, Opportunity, Motivation – Behaviour), propose Behaviour Change Wheel intervention functions, and align them with APEASE criteria. Practitioners can then refine these to match organisational realities like budget, culture, or regulation.
2. Behavioural Diagnostics. AI can surface themes from incident reports, behavioural data, or surveys – highlighting where risk is concentrated and why behaviours persist.
3. Tailored Communication. Gen AI can rewrite content for different audiences (e.g., executives vs. frontline staff), test messaging variations, and even generate story-driven awareness campaigns.
4. Efficiency Gains. From drafting policies to analysing cultural survey data, Gen AI accelerates routine tasks, allowing practitioners to focus on embedding change.
5. Capability Building. AI can act as an on-demand coach, giving practitioners access to behavioural science explanations, case examples, and reflective questioning.
Best Practices for Using Gen AI in HCRM
- Anchor outputs in evidence (COM-B, BCW, APEASE, and behavioural science literature).
- Adapt, don’t adopt: AI outputs are starting points – practitioners must contextualise for their workforce, risk appetite, and regulatory environment.
- Protect data: Avoid inputting sensitive organisational data into public models. Use enterprise AI platforms where possible.
- Iterate with stakeholders: Use AI to draft options, then test and refine them with employee focus groups or security champions.
- Embed ethics and trust: Be transparent with leaders and staff about how AI is being used.
10 Adaptable Daily Prompts for HCRM Practitioners
Each prompt below includes:
- Core prompt (what to ask Gen AI).
- How to adapt (guidance on tailoring to organisational need).
- Validation (why it produces useful results).
1. Diagnosing Risky Behaviour
Core Prompt: “Using the COM-B model, analyse why employees might fail to report phishing attempts. Identify potential barriers and propose interventions aligned with the Behaviour Change Wheel.
How to Adapt: Replace “phishing attempts” with your organisation’s top human risk (e.g., shadow IT use, unsafe file sharing, weak passwords). Add contextual details like “in a hybrid work environment with high contractor turnover” for richer outputs.
✅ Produces diagnostic clarity linked to behavioural levers.
2. Designing Interventions
Core Prompt: “Suggest intervention functions and specific behaviour change techniques to reduce weak password use, applying APEASE criteria.”
How to Adapt: Replace “weak password use” with your behaviour of concern (e.g., sensitive data over email, tailgating). Insert organisational constraints: “low training budget, but strong Microsoft ecosystem tools available.”
✅ Generates tailored, evidence-based interventions.
3. Tailoring Messages
Core Prompt: “Rewrite this MFA awareness message for frontline staff, middle managers, and executives.”
How to Adapt: Paste your actual draft message into the prompt. Add industry detail: “rewrite for healthcare staff working under time pressure” or “rewrite for financial services staff bound by FCA regulation.”
✅ Ensures communication resonates with different audiences.
4. Building a Security Culture Narrative
Core Prompt: “Draft a 200-word narrative explaining why security is a shared responsibility, incorporating psychological safety and cultural norms.”
How to Adapt: Add context: “for a quarterly all-hands in a company undergoing digital transformation” or “for a global workforce across 5 geographies.”
✅ Produces compelling narratives ready for leadership use.
5. Analysing Survey Data
Core Prompt: “Here is anonymised employee survey data about security attitudes [paste data]. Summarise top three trends and their implications for culture interventions.”
How to Adapt: Feed in your own survey or pulse-check results. Add scope: “focus on high-risk departments like finance and legal.”
✅ Converts raw data into usable insights for programme design.
6. Scenario-Based Learning
Core Prompt: “Design a realistic exercise teaching staff how to respond to a suspected insider threat, including setup, questions, and learning outcomes.”
How to Adapt: Change the topic: “ransomware outbreak in a hospital ward,” or “contractor using unapproved cloud storage.” Specify audience: frontline staff vs. senior leaders.
✅ Produces training-ready exercises contextualised to role.
7. Intervention Comparison
Core Prompt: “Compare nudges versus training sessions to reduce risky file sharing. Provide pros and cons and recommend the best option.”
How to Adapt: Swap “file sharing” with your issue. Add organisational factors: “staff resistant to long training,” or “organisation already has digital nudging tools.”
✅ Supports evidence-based decision-making.
8. Leadership Briefing
Core Prompt: “Draft a one-page executive briefing on current human cyber risk, key cultural risks, and three recommendations.”
How to Adapt: Insert specifics: “use examples from last quarter’s phishing simulations” or “focus on risks linked to upcoming ISO audit.”
✅ Saves hours preparing C-suite briefings.
9. Behaviour Measurement
Core Prompt: “Suggest five metrics to measure behaviour change after a phishing campaign, ensuring focus on behaviour not just awareness.”
How to Adapt: Insert campaign type: “measuring secure collaboration tool adoption” or “USB use reduction.” Add maturity level: “metrics suitable for early-stage measurement.”
✅ Shifts focus from vanity metrics to real behavioural outcomes.
10. Daily Reflection
Core Prompt: “Act as a reflective coach. Today I faced this HCRM challenge [insert]. Ask me 3–5 probing questions to deepen my reflection and next steps.”
How to Adapt: Insert your actual challenge: “struggling to engage managers in reporting incidents” or “designing interventions under budget constraints.”
✅ Supports practitioner growth and structured reflection.
Conclusion
Gen AI is not a silver bullet, but when applied thoughtfully, it can transform Human Cyber Risk Management. By helping practitioners diagnose behaviours, design tailored interventions, and streamline communication, it accelerates cultural change.
The key lies in adaptation: the more context you provide about your organisation, workforce, and constraints, the more valuable the outputs become. These prompts are not meant to be generic templates, but living tools practitioners can refine daily to reduce human cyber risk and strengthen organisational resilience.
⚠️ Caution: Generative AI is not perfect – it can produce outputs that are inaccurate, incomplete, or lack the nuance of your organisational context. While it can accelerate and enhance practices, the responsibility for validating, adapting, and applying these insights always rests with the practitioner. Use Gen AI as a co-pilot, not an autopilot: it can help you generate ideas and structure your thinking, but you remain accountable for the final decisions and outcomes.
#HumanCyberRisk #HCRM #GenerativeAI #SecurityCulture #CyberBehaviour #CyberResilience #BehaviouralScience #CultureChange #AIforGood #SecureByDesign #CyberAwareness #RiskManagement #DigitalTrust #CISO #FutureOfSecurity