top of page

Human Behavior, the Weak Link in the Cybersecurity Chain

Updated: Mar 2, 2022

The headlines highlight daily the growing impact that data breaches are having on Governments, Organizations and Individuals/Families around the world. Spending on Cybersecurity infrastructure has risen from $34 billion USD in 2017 to $57.7 billion USD in 2021 (Statista 2022). Estimates put future cumulative spending at $1.74 trillion USD from 2021 - 2025 (Cybercrime Magazine). In lock step with dramatic increases in Cybersecurity spending has been an equally staggering increase in the # and value of Cybersecurity breaches. "Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015."

Speaking with Property & Casualty Insurance Executives recently, they expect spending on Cybersecurity insurance policies to overtake "bricks and mortar" property policies in the very near future. When coupled with the estimates that put Cybersecurity Insurance payouts at between $3 - $4 USD per $ of premium coverage, the challenges associated with Cybersecurity breaches are being felt by all stakeholders on a global scale.

After reviewing the above data and estimates, it would be reasonable to think that something has to change if we are to "get out ahead" of the ongoing rise in Cybersecurity breaches and costs.

The challenge we now face is how do we ensure that Human Behavior is aligned closely with the investment being made in Cybersecurity infrastructure? No amount of infrastructure spend can mitigate human behavior that exposes a Government, Organization or Individual/Family to Cybersecurity threats. Too often a security breach takes place because someone accesses a fraudulent wi-fi link, clicks on a link in an email that closely mimics a legitimate link, or engages with criminal telephone outreach, etc.

"95% of Cybersecurity breaches are caused by Human Error" (Cybint).

If the majority of Cybersecurity breaches are caused by Human Error, then how do we address the Human Behavioral Risk Profile of Governments, Organizations and Individuals/Families going forward?

Historically, Cybersecurity education has consisted of short videos and questions taken by Individuals in large organizations annually. As people re-take these modules when changing organizations or from year to year with their current organization, they are less engaged and see the training as a necessary chore that they have to complete. They are just "checking a box" vs engaging in the content with a deep desire to learn and understand. In fact, "nearly two thirds of UK workers believe that up-to-date anti-virus software is all they need to stay safe from any cyberattack" - Adenike Cosgrove, Cybersecurity Strategist, EMEA, Proofpoint. Based on this analysis it is not hard to see that there is a misalignment/disconnect between how most people approach Cybersecurity threats and what is expected of them to support the spending on Cybersecurity infrastructure. Until there is closer alignment, breach costs and infrastructure spending will spiral upward while insurers will struggle to align policy revenue with claim costs.

To close this gap, a new and innovative approach to Cybersecurity Threat Identification and Avoidance Education is required. Emphasis has to be put on making the content simple, fun and easy for individuals to consume. With a global marketplace in need of training there is a need to make it culturally agnostic to appeal to stakeholders around the world. To ensure that people are truly engaged in the learning experience, Gamification when tied to Reward & Recognition provides a tried and true game plan to motivate individuals to both consume content and also do their very best to not only consume the content but truly understand and implement what they are taught. "Ford’s learning portal (Learning Management System – LMS) saw a 417% increase in use. Its younger audiences were especially more engaged. The result was better customer satisfaction and more sales" (Mike (Michael) Morrison MSc Chartered CCIPD). This approach should be made available to individuals and families at "no cost" to reduce the exposure of Families around the world. Governments and Organizations that deploy a next generation approach to Cyber Threat Identification and Avoidance Education will tightly align human behavior with Cybersecurity infrastructure spend while generating valuable data and insights to share with Insurer's to secure Cybersecurity Insurance or possibly reduce their premiums.

Although there is a lot of work to do, the market is starting to realize the gap that must be filled moving forward. Progressive Education providers are creating innovative content and strategies to engage users and close the gap to reduce cybersecurity breaches and their costs. Steve Buege sums it up well in Security Magazine, November 21, 2021:

"While security tools can help reduce these threats, data can’t ultimately stay safe unless all employees learn how to recognize when they're the target of an attack and know what to do — and what not to do."

David Monroe

Follow us on:

Recent Posts

See All


bottom of page