The Humanity Paradox


There is a paradox at the heart of your cybersecurity program: your people. According to the Verizon Data Breach Investigation Report, 82 percent of data breaches involve humans in some way (including social engineering attacks, errors and misuse). That’s a stat that can’t be ignored and an issue that needs to be confronted.

What’s the best method for reducing human risk? For decades, many security leaders and technology vendors have held the position (and hope) that technology-based defenses are the answer. Full stop.

Unfortunately, we’ve seen that technology-based defenses are not yet capable of mitigating the wide range of ways that humans can intentionally or accidently bypass controls, manipulate systems, or otherwise act in ways that circumvent controls. Technology-based defenses have also proven ineffective at anticipating and keeping-up with the mindset and methods of a highly motivated threat actor.

Here’s the paradox: the majority of data breaches involve the human element and yet your humans can become a great source of strength and resilience for your security program.

Is security awareness the answer? Both ‘yes’ and ‘no.’ Security awareness is too narrow. It focuses on information and understanding. But that’s not enough to change behaviors. There are tons of things we know and understand but don’t act on. We need to broaden and focus on the cybersecurity ABCs: awareness, behavior, and culture. This is an important shift because it begins to move the conversation (and outcomes) from knowledge to action. And, further, the ABCs get to the social dynamics and unspoken behavioral norms that exist in distinct groups within every organization.

Here’s one great example of the power of a good security culture. We recently conducted a study and made an interesting discovery. We took a sample of just over 1,100 organizations and nearly 100,000 employees and looked at employee susceptibility to phishing (measured via simulated phishing test) as it relates to an organization’s overall security culture (as measured by our Security Culture Survey). There was one obvious correlation: organizations with a “poor” security culture had more employees who opened and interacted with phishing emails in various ways than employees in organizations with a “good” security culture. That’s to be expected, but here’s where it gets really interesting: employees of organizations rated as having a “poor” security culture were 52 times more likely to enter credentials as part of a phishing scam than organizations with a “good” security culture.

Let’s put that into raw numbers. In organizations with a “good” security culture, one employee out of 1,000 is likely to be tricked into giving away their credentials or entering other sensitive data as part of a phishing scam. But, in organizations with a “poor” security culture, that number jumps to 1 out of 20.

Our people find themselves at the heart of our security program. We cannot afford to believe that technology alone can make our organizations secure. We need to build up our human layer of defense. It’s time to elevate human-layer defense to the forefront of the conversation.

Sustaining Partners