Security Awareness Blog

DBIR Report - A Fascinating Human Perspective

As many of you know Verizon recently released their 2013 DBIR (Data Breach Investigations Report) which analyzes 621 known, documented breaches collected from 19 organizations. There is a huge wealth of information here, and if you have time read it. You can download it from

There is alot of humor injected, which makes this report surprisingly easy to read. I read the document from a human perspective and was amazed at just how much useful information applies to the Human Element. Below are my impressions, the most important I feel is the last one. Read on.

  1. DBIR breaks attackers into 3 categories (crime, espionage, activism). When it comes to attacks based on social engineering, espionage was by far the greatest (60-70%).
  2. Figure 22 identifies the human element was involved in over 80% of malware infection/compromises (see image above).
  3. Page 36 DBIR calls the human element the 'carbon layer', love that term :)
  4. Page 37 identifies phishing as the top human attack vector, averaging around 80%, with in-person social engineering averaging 13% and phone social engineering 3%. The top phishing targets that DBIR was able to identify are executives/management. They then included an interesting report by ThreatSim on how many emails it takes on average for a compromise (only 8-10 emails).
  5. Page 41 identifies human error as only 2% of the 621 breaches they tracked. This was very interesting as they brought up a good point. For a breach to 'count' that breach had to result in actual compromised data. The vast majority of lost or accidentally disclosed data was not counted as it did not result in actual compromise. However, this does not take in account that organizations that lose or disclose data by accident may be required to report it, with potential fines or costs. So human error is important or not important, depending on if you have to report data compromised if it was accidentily lost, even though you do not know if any harm was done.
  6. Page 44 identifies that BYOD is not even on DBIR's radar, as they have seen so few compromises involving BYOD. This surprised me, however they expect that to grow.
  7. Page 48 identifies 75% of attacks are opportunistic, while 25% are targeted. This percentage is the same both for small and large organizations. Targeted attacks are a greater percentage than I thought.
  8. Page 54 identifies the Human Sensor as the most effective method for internally detecting compromise, two times more effective then a NIDS. A direct quote from the report:

"Once again, end users represent the most effective means of detecting a breach internally (and it would be even higher if ATM skimmers spotted by employees were included) . Typically, this involves a regular employee who, in the course of their daily responsibilities, notices something strange (e .g ., slower system performance or an e-mail that looks suspicious) and alerts IT or management. Let that fact and all its ramifications sink in . . . We suspect organizations spend a lot more time and money on things that fall below the one percent mark in Figure 44, and do very little to hone and support the detection capability of their human resources . Maybe larger organizations?which discovered about a quarter of all breaches in this manner!?realize this and actually train employees to keep their eyes open and empower them to act on what they observe . We can't prove that connection exists from this data, but if you're looking to support a business case to management for IR training for end users, Figure 44 might help ."

I'm a huge believer of going beyond just the Human Firewall and developing the Human Sensor, and the DBIR helps demonstrate the value of that approach. What were your take-a-ways, what else can we learn from a human perspective?