Breaking Down Human-Element Breaches To Improve Cybersecurity

We are thrilled to announce our research, Deconstructing Human-Element Breaches (Forrester clients can access here), detailing the many and varied risks posed by and to humans — problems that have plagued cybersecurity teams for decades. Forrester clients can use this research as a catalyst for productive conversations with executives and peers across functions about controls to mitigate the human-element breach types most common to their organizations and industries.

This blog includes an FAQ based on the most common questions we receive from our clients and the security vendor community about human-element or human-related breaches.

Aren’t human-element breaches just social engineering and human error?

Whenever we mention human-related breaches, security and risk leaders and practitioners typically think of two main categories: social engineering and human error. This isn’t wrong but isn’t the full picture. After covering these topics separately for years, we decided to deconstruct the problem of human element breaches to uncover what they are and how to address them. This includes a variety of categories such as security culture, social engineering (including phishing), and insider risk.

How do I use Forrester’s wheel of human-element breaches?

As part of the research, we deconstructed eight breach families containing 25 human-element breach types (see figure below). They include established and emerging attacks such as social engineering, data exfiltration by insiders, and just plain human error. Attackers target humans in so many different ways, and humans behave in such distinct ways that leave them and their organizations vulnerable to attacks. Security leaders can use this wheel to assess the breach types that pose the most risk to their organization, define and describe each breach to stakeholders, and gain buy-in for investment to mitigate these risks.

Why do we need this clarity?

While it’s great that human-centered security is becoming more top of mind, human-related breaches remain inconsistently defined. For example, well-respected sources, such as the annual Verizon Data Breach Investigations Report, the European Union Agency for Cybersecurity, and the Office of the Australian Information Commissioner’s notifiable data breach reports, each provide different perspectives of what constitutes human-related breaches. This confusion can lead organizations to focus on common breaches while ignoring others, limit the solutions to well-trodden yet ineffective recommendations such as security awareness and training (SA&T), or worse, bury their heads in the sand, overfocusing on technology and not people.

Can’t you just train people? After all, this is “just” a human issue.

According to Forrester data, 97% of organizations conduct some form of SA&T — hoping for a silver bullet while checking a regulatory compliance box. Despite this, human-related attacks such as business email compromise have quadrupled, CISOs haven’t instilled security cultures in their organizations, training continues to cause friction for learners, and no one knows what behaviors actually change. While awareness of security issues is important, it can never replace the role of technical controls. Even the most vigilant employee will fall for a credible phishing lure or deepfake voice call, accidentally misconfigure an API setting, or send a sensitive file to the wrong recipient. Training is not enough. Technical controls must be in place to protect users from these attacks and change their behavior.

If training isn’t as effective as you say it is, can’t we just use tech?

While some breaches, such as those caused by human error or social engineering, are easy to associate with people, others that are technologically heavy, such as generative AI (genAI) misuse, are a bit more difficult to understand. Yet it was people relying on fallible genAI content that led the Australian Federal Parliament to publish an inaccurate submission. Without understanding that this is a human-related issue, it is easy to try to rely solely on technology to solve the problem. Security leaders need to strike a balance between training and technical controls. We provide guidance on how to do so using Forrester’s Human-Element Breach Control Matrix.

I keep hearing about human risk management, but isn’t it just SA&T 2.0?

Far from being SA&T with a fancy new name, human risk management (HRM) solutions present a significant change of mindset, strategy, process, and technology. Forrester defined HRM and began evaluating HRM vendors, encouraging orgs to positively influence security behaviors through evidence-based detection and anticipation of human risk, instead of purely relying on training.

Do we really need another tool to manage the human risk?

While some technologies in your tech stack provide limited behavioral insights, HRM is unique in that its sole focus is human risk. It integrates with existing tools and technology to measure a vast range of security behaviors and provides a comprehensive view of human risk. HRM also correlates behavioral, threat, access, and knowledge data to surface previously unseen risks. It interacts with people through a set of interventions including training but also through policy updates to protect people in a way that requires minimal effort on their part.

Talk To Us

Forrester clients can schedule a guidance session or inquiry with:

    • Jinan Budge, for human-centered security, security culture, influence and engagement, and human risk management.
    • Jess Burn, for social engineering and email, messaging, and collaboration security solutions.
    • Joseph Blankenship, for insider risk.
    • Heidi Shey, for data security.
    • Any one of the contributors to this research to discuss the entirety of human-related breaches.

source

Leave a Comment

Your email address will not be published. Required fields are marked *