How many data breaches involve 'the human element'?
Last week, Verizon published the 2022 Data Breach Investigation Report (VDBIR). The publication of the report is eagerly anticipated and enthusiastically welcomed by the cyber security industry, and rightly so. This in-depth and comprehensive report helps us track trends, benchmark our experiences and share insights both within - and beyond - the security community. The jokes that are peppered throughout the report are appreciated, too :)
One headline-grabbing statistic this year is that "82% of breaches involve the human element". This is down very slightly from last year, when it was a 85%.
I presented at two conferences last week. One was with fellow security professionals and the other was an audience of technology and business leaders. At the latter event, I asked the audience if they thought that 82% of breaches involving the human element sounded like a lot. Most people raised their hands until a lone voice got to my point before I could: that humans are involved in a lot more than 82% of breaches.
With the audience of security professionals, I asked if anyone had experienced a breach - or even knew of a breach - that does not involve the human element. No one raised their hand. When I asked whether people had experienced a breach that does involve the human element, of course it was a different story.
It's a fun thought experiment to play and a question I've been asking a lot during sessions I have delivered over the last year or so. And the only answer that has made sense to me, the only truly 'non-human' breach, could be one caused by a 'force majeure'. Even then, an argument could certainly be made about the role of people here, from the simple point that people are responsible for environmental protections and disaster recovery plans, to the complex issue of climate change.
What about other incidents?
An attack that exploits a vulnerable piece of software? There is a human element in the production of vulnerable software (anything from a company culture that encourages developers to prioritise productivity over security to a lack of secure code training). And, in all of this, let's not forget about the human/s carrying out the attacks.
Everything from patching to system configuration to risk assessments to network segmentation is deeply human. And artificial intelligence, which to many sounds so deeply technical, is not only built by people, but of course susceptible to human bias in a way that can be extremely harmful, as Joy Buolamwini explains when she talks about "the coded gaze".
In short: technology does not attack technology by itself.
If we look at the lifecycle of technology (or information), people are of course central at every stage: design, development, testing, use, abuse and destruction. And, arguably, people are never more central than when it comes to the impact of technology, information and (in)security. For example, the VDBIR reports a dramatic increase in ransomware attacks affecting the education sector over the last year (with ransomware representing 30% of breaches in the sector).
At one point in the VDBIR, the report reads:
The human element continues to be a key driver of 82% of breaches
Verizon Data Breach Investigation Report 2022 , p30
This, to me, is the key to understanding the 82% figure. It is not that 82% of breaches "involve" the human element. In my opinion, that figure is, and will remain, as close to 100% as it is possible to get.
What the VDBIR is helping us understand is that, in the last year, 82% of breaches directly took advantage of the human element, from stolen credentials to social engineering, privilege misuse to human error.
But this brings me to three questions.
Firstly, why do we class credentials as a human element, but not vulnerabilities?
Secondly, how can we better understand and categorise human error to address the true complexity of this - which is so often caused by systemic issues rather than individual failings?
And, finally, why do we combine human-centred attacks and incidents under the banner of 'the human element', when we don't do the same for technical-centred attacks? How often have you heard someone refer to 'the technical element' of cyber security?
I love reading the Verizon Data Breach Investigation Report, and I'm grateful to the team that puts so much work into developing a resource that is made widely available to the community. I don't want this blog post to seem like a criticism of their work or a pedantic rejection of their findings.
What I would like, is for us to use these opportunities to think about how we define "the human element". Because the truth is that the human element - just like the technical element - is inherent in all aspects of cyber security.
Before you go, don't forget to subscribe to our mailing list to be the first to read our blog posts!