When we predicted that “Ninety percent of data breaches will include a human element” in Predictions 2024: Cybersecurity, Risk, And Privacy, we learned that not all publications, standards, or regulations mean the same thing when they talk about “human element” breaches. Verizon’s Data Breach Investigations Report states that human-element breaches, which form 68% of total breaches, include social engineering, business email compromise (BEC), human error, pretexting, and use of stolen credentials. Australia’s definition from its Office of the Australian Information Commissioner includes some but not all of the above, and it adds insider threats and theft of assets to its figure totaling 30% of breaches. This inconsistency takes on a new dimension with the abundance of definitions and inclusions touted by vendor thought leadership, threat actor profiles, and breach data publications.

Not only are human-element breaches inconsistently defined, recommendations for how to deal with these attacks are limited to one silver bullet: security awareness and training (SA&T). Yet in spite of 97% of organizations reporting that they undertake SA&T, BEC attacks have quadrupled, chief information security officers (CISOs) haven’t instilled security cultures in their organizations, training continues to cause friction for learners, and no one knows which behaviors increase the risk of what type of breach, let alone if they’ve changed.

Our upcoming research on deconstructing human-element breaches shows that risks posed by and to humans are misunderstood yet expansive. They include established and emerging attacks such as deepfakes, data exfiltration by insiders, misuse of generative AI (genAI), physical theft or loss, and just plain human error. They are expected to accelerate and become more complex with the advent of genAI and the expansion of communication channels. This upcoming research aims to allow CISOs to discern human-element risks, communicate them to their confident yet confused stakeholders, and, most significantly, manage these risks.

Current Training And Awareness Solutions Won’t Fix Human-Element Risk

October is Cybersecurity Awareness Month, the month cybersecurity pros ask everyone to be more cyber-aware. Training and awareness, however, are not enough to address human-element risk. It may also not surprise anyone that SA&T is not the silver bullet that many will tell you it is. Enterprise email security, even as protection expands to messaging and collaboration apps, won’t stop all human-element breaches, either. In fact, there are no silver bullets!

Each human-element breach is managed by one or more security tech categories and various supplementary controls. For example, to manage social engineering risks, you need email security, messaging and collaboration security, easily understood policy, continual training, and relevant phishing simulations. Treat human-element breaches holistically with people, process, technology, and oversight.

Finally, if you haven’t gotten the memo yet, in February 2024, Forrester announced the move from SA&T to human risk management (HRM). Early adopters of these solutions demonstrate a significant change of mindset, strategy, process, and technology about how we approach an old problem in a new world. HRM solutions help organizations detect and measure a broad range of actual human security behaviors, quantify the human risk, and initiate risk-based policy and training interventions. They bolster existing security tools and processes across all aforementioned security categories, using them to gain input and insight into the human risk equation.

Join us at Forrester’s Security & Risk Summit in Baltimore on December 9–11, where we will discuss how you can master the human element in more detail. Forrester clients can also schedule a guidance session with either of us to learn more about this upcoming research and how you can address human-element risk.