Security leaders often have a narrow view of human-element breaches, thinking of them as either social engineering or human error, but there’s more to it than that. Breaches that start with a person can be divided into broader categories, including security culture, insider threats, and emerging attack methods such as phishing and data exfiltration.
This was one of the findings in Forrester’s new research report, Deconstructing Human-Element Breaches, which takes a look at the multifaceted risks posed by and to humans in cybersecurity. It also highlights how these long-standing challenges continue to affect security teams, and offers a structured framework to address them.
To help entities navigate these threats, Forrester has developed a “wheel of human-element breaches,” which sorts breaches into eight families with 25 distinct attack types. This framework hopes to help security teams assess risks, communicate more effectively with stakeholders, and secure mitigation strategy investment.
More Clarity Needed
According to the Forrester researchers, despite a growing awareness of human-centered security, inconsistencies in defining human-related breaches remain. Reports from some of the industry’s top organizations—including the Verizon Data Breach Investigations Report, the European Union Agency for Cybersecurity (ENISA), and the Office of the Australian Information Commissioner—all offer different definitions.
These discrepancies can lead entities to concentrate on the more common breach types while neglecting others or to depend on inadequate solutions such as security awareness and training (SA&T) without implementing comprehensive safeguards to complement them.
In fact, the research revealed that a whopping 97% of businesses conduct security training, yet this appears to be having a negligible affect on human-related attacks like business email compromise which continue to surge.
No one is saying training isn’t important, but it cannot fully prevent sophisticated social engineering attacks or accidental misconfigurations. Rather, Forrester suggests a balanced approach that integrates training with robust technical controls to limit human risk.
Security leaders must also recognize that in some breach instances, such as those involving generative AI misuse, there are both human and technological components. The researchers cited the example of how reliance on AI-generated content led the Australian Federal Parliament to publish inaccurate information.
Without acknowledging the human risk aspect, entities may mistakenly depend solely on technology to solve these challenges, which isn’t effective. To counter this, Forrester’s Human-Element Breach Control Matrix offers strategic guidance on balancing training with technical safeguards.
Advancing Human Risk Management
The report also explores the rise of human risk management (HRM) as way beyond traditional SA&T. HRM represents, the researchers said, “a significant change of mindset, strategy, process, and technology,” which encourages businesses to “positively influence security behaviors through evidence-based detection and anticipation of human risk, instead of purely relying on training.”
Unlike conventional security tools, HRM focuses specifically on human risk, integrating with current security infrastructure to offer insights into employee behaviors. By correlating behavioral, threat, access, and knowledge data, HRM uncovers previously unseen risks and offers targeted interventions, including adaptive training and policy updates.
Read the full Forrester report here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.