top of page

J Wolfgang Goerlich

Human Factor and Risk: The Behavior Science of Risk


J. Wolfgang Goerlich is a hacker and an Advisory CISO. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held senior positions at several consulting firms, leading security advisory and assessment practices. He is an active part of the security community, co-founding and organizing communities and conferences. Wolfgang regularly advises on the topics of security architecture and design, identity and access management, zero trust, and resilience.


Risk. We measure it. We model it. We prioritize security and communicate concerns using risk. But do we get action from the business? Often, no. While risk management is an excellent way to prioritize security efforts, it has proven a poor way to change behaviors in the workplace. The common line of thinking says companies are in the business of taking risks. Risk is the language of the business, and therefore using risk management we can communicate security concepts to the business. This has proven to not be the case in cybersecurity. It shouldn’t surprise us. Communicating risks hasn’t worked well in other fields either: from workplace safety to driver safety, from child care to health care, people simply don’t respond to risk messages. This session will pull on the body of research and place it within the context of a hypothetical organization’s risk management program. We will unpack data on why people ignore expert warnings, and how delaying decisions and waiting for the worst-case scenario is a preferred strategy. We’ll cover the power of story over fact, and the shapes of stories to show how stories drive action. We’ll look at how our cognitive biases affect how we evaluate risk and how this plays out with behavior change models. Finally, we’ll cover the role of misinformation, acclimation, and habituation. The human condition is one of ignoring risk. Ignoring human nature hasn’t helped cybersecurity. This session is on building risk management programs which leverage psychology instead of fight against it.

J Wolfgang Goerlich
bottom of page