top of page
  • Jessica Barker

How many data breaches involve 'the human element'?

Last week, Verizon published the 2022 Data Breach Investigation Report (VDBIR). The publication of the report is eagerly anticipated and enthusiastically welcomed by the cyber security industry, and rightly so. This in-depth and comprehensive report helps us track trends, benchmark our experiences and share insights both within - and beyond - the security community. The jokes that are peppered throughout the report are appreciated, too :)


One headline-grabbing statistic this year is that "82% of breaches involve the human element". This is down very slightly from last year, when it was a 85%.


I presented at two conferences last week. One was with fellow security professionals and the other was an audience of technology and business leaders. At the latter event, I asked the audience if they thought that 82% of breaches involving the human element sounded like a lot. Most people raised their hands until a lone voice got to my point before I could: that humans are involved in a lot more than 82% of breaches.


With the audience of security professionals, I asked if anyone had experienced a breach - or even knew of a breach - that does not involve the human element. No one raised their hand. When I asked whether people had experienced a breach that does involve the human element, of course it was a different story.


It's a fun thought experiment to play and a question I've been asking a lot during sessions I have delivered over the last year or so. And the only answer that has made sense to me, the only truly 'non-human' breach, could be one caused by a 'force majeure'. Even then, an argument could certainly be made about the role of people here, from the simple point that people are responsible for environmental protections and disaster recovery plans, to the complex issue of climate change.


What about other incidents?


An attack that exploits a vulnerable piece of software? There is a human element in the production of vulnerable software (anything from a company culture that encourages developers to prioritise productivity over security to a lack of secure code training). And, in all of this, let's not forget about the human/s carrying out the attacks.


Everything from patching to system configuration to risk assessments to network segmentation is deeply human. And artificial intelligence, which to many sounds so deeply technical, is not only built by people, but of course susceptible to human bias in a way that can be extremely harmful, as Joy Buolamwini explains when she talks about "the coded gaze".


In short: technology does not attack technology by itself.


If we look at the lifecycle of technology (or information), people are of course central at every stage: design, development, testing, use, abuse and destruction. And, arguably, people are never more central than when it comes to the impact of technology, information and (in)security. For example, the VDBIR reports a dramatic increase in ransomware attacks affecting the education sector over the last year (with ransomware representing 30% of breaches in the sector).


At one point in the VDBIR, the report reads:


The human element continues to be a key driver of 82% of breaches

Verizon Data Breach Investigation Report 2022 , p30


This, to me, is the key to understanding the 82% figure. It is not that 82% of breaches "involve" the human element. In my opinion, that figure is, and will remain, as close to 100% as it is possible to get.


What the VDBIR is helping us understand is that, in the last year, 82% of breaches directly took advantage of the human element, from stolen credentials to social engineering, privilege misuse to human error.


But this brings me to three questions.


Firstly, why do we class credentials as a human element, but not vulnerabilities?


Secondly, how can we better understand and categorise human error to address the true complexity of this - which is so often caused by systemic issues rather than individual failings?



And, finally, why do we combine human-centred attacks and incidents under the banner of 'the human element', when we don't do the same for technical-centred attacks? How often have you heard someone refer to 'the technical element' of cyber security?


I love reading the Verizon Data Breach Investigation Report, and I'm grateful to the team that puts so much work into developing a resource that is made widely available to the community. I don't want this blog post to seem like a criticism of their work or a pedantic rejection of their findings.


What I would like, is for us to use these opportunities to think about how we define "the human element". Because the truth is that the human element - just like the technical element - is inherent in all aspects of cyber security.


Before you go, don't forget to subscribe to our mailing list to be the first to read our blog posts!



Related Posts

See All

3 Comments


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....



Like

Agnes Lizzy
Agnes Lizzy
Oct 13, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…


Like

Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…


Like
bottom of page