Security Awareness Blog

97% of Malware Encountered Involves Attacking The Human

One of the things I've been looking for is a good statistic that demonstrates just how actively targeted the human element has become. I've had several discussions about this topic with the malware community (not just anti-virus employees but researchers, operations, etc) and I knew the numbers were high. I often get estimates that up to 70% of malware can be totally dependent on exploiting just the human, while another percentage involves exploiting both the human and technical vulnerabilities. I just read a very interesting statistic from Symantec at Network World, where Symantec states that 97% of the malware they now encounter either totally depends on exploiting the human, or involves a combination of exploiting both the human and technical vulnerabilities. In other words, only about 3% of malware they are seeing depends purely on exploiting technical vulnerabilities. Now, you always have to take statistics with a grain of salt, especially from a vendor. They do not explain how they achieved those metrics. However, regardless of what the exact numbers are, this helps demonstrates that purely technical exploits are the thing of the past, at least at the desktop. The vast majority of attacks against the desktop (the world of malware) now either totally depend on or at least involve the human.

With numbers like these, I still don't understand why the vast majority of the security community still focus on just the technical issues. My guess is because technical vulnerabilities are the simpler of the two to solve, and simpler to demonstrate that you have solved it.