Human risk has remained the top breach source

By Laura Baker, CyberWyoming

The 2020 Verizon Data Breach Investigations Report named human risk as the top breach source for the past 5 years.  It includes phishing, password security, malware, data handling and privilege abuse. 

The CompTIA 2020 report says that “employee error remains the primary component of most security breaches.”

But, even with these risks, most organizations do one security training a year and call it good. 

However, cyberpsychologist and researcher Dr. Erik Huffman’s newest research talks about leadership.  His new study showed that when people clicked on an email from upper management, even if their spidey sense was going off, many that clicked were more afraid of not responding to the boss than they were about introducing a security breach.

It’s about leadership.

Wyoming’s Cybersecurity Competition for Small Businesses helps you develop a marketing plan to raise the entire level of security awareness in your company. 

But leadership needs insight.  So, the Global Employee Risk Insights Report First-of-its Kind Analysis of Over 1.5 Million Employees’ Security Decisions Across Industries report shows that there are 4 different areas that leadership needs to learn about.

1. Who is most susceptible to phishing attacks?

Answer: those who have worked for the company less than 3 years or over 16 years. So, focus your phishing training on those higher risk groups, give them more training and guide your security marketing plan towards them. (Dr. Huffman says that impulsivity is also a major factor. Do you impulse buy at the checkout line?)

2. Who is most likely to use a password manager for work systems?

Answer:  US employees for international companies are more likely to use a password manager and those employees who had been working for the company longer than 1.3 years. So, if you want to encourage employees to use a password manager, then focus on the newbies.

3. Employees who completed their security training on time performed better on simulated phishing attacks.

Interesting:  so, you need to phish those employees who are late more to give them more practice.  Maybe they will start showing up on time too!

4. Why does security training often fall short?

Answer: what people do is still different than what people know.  For instance, even though they know they shouldn’t use the same password on multiple systems, they still do. 

Since passwords are secret, it is pretty hard to monitor this, but you can show them some pretty crazy sites like and pastebin to see how prevalent their old passwords are out there.

Join Wyoming’s Cybersecurity Competition for Small Businesses and learn how to combat cybersecurity with your organization’s culture and know-how.  Register now. The competition starts Feb 1. or download the registration page at

FREE to Wyoming small businesses because of our members and sponsors!

For more on cyberpsychology, watch CyberWyoming’s blog site.  We have more to discuss in the coming days!


Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: