Trust & Security

68% of Breaches Involve the Human Element. Security Training Is Not Working.

Verizon's 2024 DBIR puts the human element in 68% of breaches. The median phishing click happens in under 60 seconds. Neither fact is going to be fixed by another annual training module.

2026-05-14 · 7 min read Trust & Security

I keep coming back to one number from the Verizon 2024 Data Breach Investigations Report, and it is not the headline breach count. The number that stays with me is the median time from a phishing email being opened to the target clicking the malicious link: less than 60 seconds. That finding is published at https://www.verizon.com/business/resources/reports/dbir/, embedded inside the larger finding that 68% of all confirmed breaches involved a non-malicious human element. Those two numbers together should be rewriting how the security industry thinks about behavioral risk, and they mostly are not.

Sixty seconds is not enough time to consult a checklist. It is not enough time to remember what you learned in annual security training. It is barely enough time to register that you opened an email before your hand moves to click. Under 60 seconds is reflex territory. It is pattern-matching against previous experience, not deliberate evaluation. The training model that dominates enterprise security is built around a different cognitive process entirely: the assumption that employees will recall declarative knowledge from training and apply it thoughtfully in the moment of decision. The 60-second finding is direct evidence that the assumed cognitive process does not describe what is actually happening.

Sociotechnical systems theory, developed by Trist and Bamforth (1951) through their coal mining research, gives me a framework for thinking about why the industry keeps mislocating this problem. Their core insight was that failures at the human-technology interface are not purely human failures or purely technical failures. They are failures of the joint system design, failures to account for how the social and technical dimensions of work interact. When 68% of breaches involve a human action, the standard response is to blame the human and add training. The sociotechnical reading is different: why is the system designed so that a reflexive 60-second action by a busy employee can result in a confirmed organizational breach? The failure is at the interface, not at the individual.

The 68% figure includes errors, misdeliveries, privilege misuse, and social engineering, anything where a person's action or inaction was a material factor in the breach. That breadth is important. Social engineering and phishing are the most visible components, but accidental data exposure, misconfigured cloud storage, and misdelivered files containing sensitive information are also in that 68%. The human element is not primarily a malice problem. It is a design problem. People in complex information environments, under normal cognitive load, doing legitimate work, produce security-relevant errors at a rate that has not declined despite years of awareness campaigns. The campaigns are not reaching the right intervention point.

Security awareness training as it is commonly delivered assumes that behavioral change follows from knowledge transfer. Annual video modules, phishing simulations with immediate feedback, and compliance-driven acknowledgment tests are all built on this assumption. But research on behavioral expertise formation does not support it. Skills that change behavior under time pressure and cognitive load come from repeated practice in contexts that simulate the pressure, not from declarative knowledge absorbed in a low-stakes setting. A nurse does not learn to respond correctly to a code blue by watching a video once a year. A pilot does not learn to handle engine failure by reading about it. They practice until the response is automatic. Security awareness training is trying to build a behavioral reflex through a pedagogical method suited to knowledge acquisition. Those are different goals requiring different methods.

The sociotechnical systems perspective suggests the question should not be "how do we get employees to make better decisions in 60 seconds" but "how do we redesign the email system so that the default action in 60 seconds is less dangerous." That is a system design question, not a training question. Measures like disabling link previews for external senders, adding visual friction to emails from outside the organization, or defaulting suspicious attachments to sandboxed preview rather than direct download address the problem at the interface level. They do not require employees to override reflex with deliberate judgment. They change what the reflex does.

Stolen credentials appeared in 31% of all breaches across a ten-year window in the DBIR data. That is the most persistent single vector in the full reporting history. Multi-factor authentication is the most reliable technical response to credential theft, and it works. But MFA adoption is still uneven across enterprise environments, and the systems that lack it tend to be the older ones that attackers specifically map and target. More troubling is what the ten-year persistence tells us about information-based interventions: employees have been told for a decade not to reuse passwords, to use password managers, and to watch for credential phishing. The knowledge is widely available. The credential theft rate has not declined. That gap between knowing and doing is the actual problem, and it is not a knowledge problem. It is a system design and environmental design problem.

The behavioral security literature is clear that friction shapes behavior more reliably than information does. The question is whether you are putting friction on the dangerous behavior or the safe behavior. If using the approved password manager requires installing software via a ticket to IT, learning a new interface, and migrating existing passwords manually, most employees will continue reusing simple passwords. The friction is on the safe side. If sending a file to an external recipient requires a one-click encryption step that happens automatically, the friction on the dangerous behavior is effectively zero for the user. The design question is who controls where the friction sits, and right now, organizations are mostly not asking it deliberately.

Organizational context matters here in ways that individual-level training cannot reach. I think about this in terms of what Trist and Bamforth would call the joint optimization problem: the technical system and the social system need to be designed together, not separately. An organization that deploys technically excellent MFA but leaves it as opt-in, supports it only on primary systems and not legacy applications, and does not provide IT help for employees struggling to enroll has not jointly optimized anything. The technical control exists. The social and organizational conditions for using it do not. The result is partial adoption that creates a false sense of coverage while leaving the most vulnerable systems exposed.

What surprises me as a researcher is how persistently the IS field has treated the human element problem as a cognitive or motivational problem rather than a sociotechnical design problem. There is substantial IS literature on technology acceptance, user behavior, and security compliance that focuses on individual attitudes, perceived usefulness, and subjective norms. There is much less research that asks how the design of the human-technology interface itself produces or prevents security failures. The 68% figure has been stable across multiple years of the DBIR. That stability is telling me the current intervention portfolio is not moving the distribution. Annual training is not wrong in direction. It is wrong in theory. The theory it operates on does not match what the 60-second phishing click is telling us about how decisions actually happen.

I want to see IS security research that takes the joint design question seriously: what does a system architecture look like when it is optimized for the reality that employees will sometimes click links in under 60 seconds, and designed to limit the damage when they do? Answering that requires understanding both the technical intervention options and the organizational processes, incentives, and constraints that determine whether those options get deployed and used. That is exactly the kind of sociotechnical question IS research is well-positioned to address. The 68% will hold as long as the research and practice communities keep treating it as an individual failure rather than a system design gap.

---
claims_checked:
- "68% of breaches involved non-malicious human element": "https://www.verizon.com/business/resources/reports/dbir/"
- "Phishing median click time under 60 seconds": "https://www.verizon.com/business/resources/reports/dbir/"
- "Stolen credentials in 31% of breaches over 10-year window": "https://www.verizon.com/business/resources/reports/dbir/"
- "Sociotechnical systems theory, Trist and Bamforth 1951": "foundational IS theory, no URL required"
claims_unverified:
- "Behavioral expertise formation and practice vs. declarative knowledge: consistent with cognitive psychology literature; not cited to a specific study; hedged accordingly"
- "68% stable across multiple DBIR years: directional claim based on longitudinal DBIR reporting; year-by-year not re-fetched this session"
sources_used:
- "https://www.verizon.com/business/resources/reports/dbir/"
word_count: 1070

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Hyperautomation: The Gap Between the Gartner Term and the Factory Floor
Next →
Healthcare Breaches Cost $9.77 Million on Average. For the 14th Year Running.

Related notes

IS Theory
Protection Motivation Theory Is Trapped in Cybersecurity
5 min read
IS Theory
Cybersecurity Economics Is an IS Problem Hiding in Plain Sight
8 min read
IS Theory
Trust Calibration for AI Is Not Trust Calibration for Humans
7 min read