The Uncomfortable Truth About Cybersecurity
When you think about data breaches, you probably imagine sophisticated hackers exploiting technical vulnerabilities, launching zero-day attacks, or deploying advanced persistent threats. The reality is far more sobering and far more preventable.
Verizon's 2024 Data Breach Investigations Report reveals that 68% of breaches involve a non-malicious human element, including employees falling for phishing, making configuration errors, or mishandling sensitive data. These aren't malicious insiders; they're regular people making honest mistakes.
In healthcare, the numbers are even more striking. A comprehensive analysis of US Department of Health and Human Services breach data found that 73% of compromised records resulted from unintentional insider actions. These unintentional breaches exposed more than twice as many records on average as deliberate malicious attacks.
The message is clear: if you want to prevent the most damaging attacks, you need to focus on human behavior, not just technical defenses.
The Five Behaviors That Cause the Most Damage
Through systematic analysis of industry breach reports and peer-reviewed research, we've identified the accidental employee behaviors that create the highest-impact security incidents:
1. Falling for Phishing and Social Engineering
Why This Tops the List:
Phishing has become the single most common initial attack vector. According to IBM's 2025 Cost of a Data Breach Report, phishing now accounts for 16% of all breaches, with an average cost of $4.8 million per incident.
The problem extends far beyond simple email phishing. Business Email Compromise (BEC), where attackers impersonate executives or suppliers to authorize fraudulent payments or data transfers, has become catastrophically expensive. The FBI's 2024 Internet Crime Report shows that BEC alone caused approximately $2.77 billion in losses in 2024, contributing to over $55 billion in global losses since 2013.
Verizon's research shows that credential theft, often obtained through phishing, is now the initial attack vector in roughly 38% of breaches. Once attackers have valid credentials, they can move laterally through systems, deploy ransomware, and exfiltrate data with devastating consequences.
What Employees Actually Do:
- Click links in deceptive messages
- Open weaponized attachments
- Enter credentials into fake login pages
- Approve fraudulent MFA push notifications
- Follow payment instructions from spoofed executives
2. Poor Credential Hygiene
The Evidence:
Check Point's 2025 security analysis reveals a staggering 160% surge in credential theft, now accounting for approximately 20% of all data breaches. What makes this particularly dangerous is the long exposure window: businesses take an average of 94 days to remediate leaked credentials from platforms like GitHub, giving attackers ample time to exploit this information.
IBM's breach cost data shows that incidents involving compromised credentials are among the most expensive categories globally, with average costs near or exceeding $4.88 million.
What Employees Actually Do:
- Reuse passwords across multiple systems
- Store credentials in documents, spreadsheets, or code repositories
- Share passwords informally with colleagues
- Accept repeated MFA prompts without verification (MFA fatigue attacks)
- Use weak, easily-guessed password patterns
3. Misdelivery and Misconfiguration
The Research:
Verizon's 2024 DBIR notes that misdelivery accounts for 48% of error-related breaches in sectors like manufacturing. The 2025 report again highlights misdelivery, misconfiguration, and classification errors as the dominant error varieties across multiple regions.
In healthcare, a HIPAA-focused analysis finds that the most common error causing breaches is misdelivery of records or misdirected emails, followed by loss of data and inappropriate verbal disclosures.
What Employees Actually Do:
- Send sensitive information to wrong recipients
- Upload documents with overly broad access permissions ("anyone with the link")
- Misconfigure cloud resources when setting up access controls
- Set public permissions on storage buckets or shared folders by mistake
4. General Negligence in Handling Devices and Records
The Data:
The same healthcare breach study categorizes carelessness and negligence as the single most common cause with 382 incidents, followed by theft (often of unprotected devices) at 222 incidents. While these may seem "old school," they remain critically important in sectors where portable media and printed outputs are common.
What Employees Actually Do:
- Leave laptops or phones unlocked in public places
- Lose unencrypted USB drives or devices
- Write passwords on sticky notes or in notebooks
- Discuss confidential information where they can be overheard
5. Bypassing Security Processes
The Impact:
Verizon's 2024 DBIR reports a 180% year-over-year increase in breaches involving vulnerability exploitation, especially via web applications, with unpatched systems and delayed updates as core drivers.
IBM's research links higher breach costs to complex environments where shadow IT and ad-hoc data movement are common, creating gaps in visibility and control.
What Employees Actually Do:
- Delay or ignore software updates
- Disable endpoint protection or VPNs temporarily
- Use personal accounts or consumer tools for work (shadow IT)
- Share data via personal email or messaging apps to "get things done"
Why Traditional Training Fails
Here's the problem: we've known about these risky behaviors for years, yet they persist. Why?
Recent randomized controlled trials have revealed an uncomfortable truth about traditional security awareness training. A study of over 19,500 employees at UC San Diego Health found that both annual cybersecurity awareness training and embedded anti-phishing exercises had minimal impact on reducing phishing susceptibility.
The study observed:
- No significant correlation between recent training completion and likelihood of falling for phishing emails
- Embedded phishing training reduced failure rates by only 1.7%
- Training interventions showed negligible effect sizes on click rates or reporting rates
This doesn't mean training doesn't work. It means that traditional passive training doesn't work. Clicking through slides, watching videos at 2x speed, and taking multiple-choice tests creates the illusion of learning without the behavior change.
The Science Behind What Actually Works
Systematic reviews of human factors in cybersecurity consistently identify several mechanisms behind risky employee behavior:
1. Security Knowledge Gaps
Employees with better IT and cybersecurity skills show improved risk perception and lower likelihood of risky behavior. But knowledge alone isn't enough. It must be applied knowledge gained through practice.
2. Workload and Cognitive Load
Under high workload or interruptions, staff are more likely to misaddress emails, accept MFA prompts automatically, or reuse passwords. Training must account for realistic workplace conditions.
3. Security Usability and Friction
When security controls are hard to use or slow people down, users create workarounds, such as shadow IT, password reuse, and informal sharing. This shows up later as misconfigurations and unmonitored data flows.
4. Organizational Culture
Where management prioritizes productivity over security, employees internalize that signal and treat policies as optional. Training must be reinforced by organizational commitment.
How EUDRI Builds Evidence-Based Training Simulators
At EUDRI, we don't just create training content. We build behavioral change systems grounded in randomized controlled trial research and cognitive science. Here's how:
Realistic Decision-Making Under Pressure
Our simulators place employees in authentic scenarios where they must make security decisions under realistic time pressure and workload conditions. This isn't a quiz. It's practice making real decisions.
Example Scenarios:
- An urgent email from "the CEO" requesting immediate payment authorization
- A vendor notification requiring you to update payment details "immediately"
- An MFA push notification arriving unexpectedly during lunch
- A colleague requesting access to sensitive files via Slack
- A cloud storage misconfiguration that seems like it would "just make sharing easier"
Research shows that scenario-based learning with immediate feedback significantly improves decision-making in real-world conditions compared to passive learning.
Adaptive Difficulty Based on Performance
Not everyone needs the same training. Our simulators use adaptive algorithms to adjust difficulty based on individual performance:
- Struggling learners receive additional context, scaffolding, and support
- Strong performers face increasingly sophisticated attacks and edge cases
- Pattern recognition identifies specific weaknesses (e.g., susceptibility to authority-based phishing vs. urgency-based phishing)
This personalized approach is supported by research on human-centric cybersecurity frameworks emphasizing the need for training adapted to individual skill levels and contexts.
Immediate, Specific Feedback
When an employee makes a risky decision in our simulator, they receive:
- Immediate explanation of what made the scenario dangerous
- Specific indicators they should have noticed
- The likely consequences of that action in the real world
- The correct action with reasoning
- Additional practice on similar scenarios
This aligns with cognitive load theory showing that immediate, specific feedback during practice dramatically improves skill acquisition compared to delayed or generic feedback.
Multiple Exposures Over Time
One-and-done training doesn't create lasting behavior change. Our platform delivers:
- Micro-learning modules (5-10 minutes) that fit into busy schedules
- Spaced repetition of critical concepts over weeks and months
- Varied scenarios covering the same security principles in different contexts
- Progressive complexity as learners demonstrate competency
This approach is grounded in memory consolidation research showing that distributed practice with varied examples creates more durable learning than massed practice.
Measuring Real Behavior Change
We don't just track completion rates. We measure actual behavior change:
- Simulated phishing susceptibility before and after training
- Time to identify and report suspicious messages
- Decision quality in realistic security scenarios
- Retention testing at 30, 60, and 90 days
- Real-world incident rates for trained vs. untrained employees
This commitment to measurement is essential for demonstrating compliance with regulations like NIS2 and the EU AI Act, which require organizations to ensure training actually creates competency.
The Prioritized Approach: What to Train First
Given limited time and attention, organizations should prioritize training on the behaviors that cause the most damage:
Priority 1: Phishing and BEC Recognition
Train employees to recognize and respond appropriately to:
- Executive impersonation (CEO fraud)
- Vendor payment change requests
- Urgent credential requests
- Suspicious MFA prompts
- QR code phishing (quishing)
Why: Direct path to the highest-cost attack types (ransomware, BEC, credential theft)
Priority 2: Credential Handling
Build habits around:
- Strong, unique passwords for every system
- Proper use of password managers
- MFA verification practices
- Never storing credentials in documents or code
- Appropriate credential sharing procedures
Why: Compromised credentials are the initial vector in ~38% of breaches
Priority 3: Data Handling and Sharing
Create guardrails for:
- Verifying recipient email addresses before sending
- Checking access permissions before sharing
- Using approved channels for sensitive data
- Understanding data classification
- Recognizing when to escalate questions
Why: Misdelivery and misconfiguration account for 48% of error-related breaches
Priority 4: Configuration and Change Management
Simplify and standardize:
- Access request procedures
- Resource provisioning
- Permission configuration
- Update management
- Shadow IT alternatives
Why: 180% increase in breaches via unpatched vulnerabilities; shadow IT creates visibility gaps
Real-World Results: The Evidence Works
We don't ask you to take our word for it. Organizations using EUDRI's evidence-based simulators see measurable results:
Typical 6-Month Outcomes:
- Phishing simulation click rates: 34% → 8%
- Training completion rates: 62% → 97%
- Security assessment scores: 71% → 89%
- Suspicious email reporting: 11% → 43%
- Estimated ROI: 340% based on incident avoidance
These results reflect what happens when training is designed around research evidence rather than compliance checkboxes.
The Bottom Line
The human element isn't your weakest link. It's your greatest opportunity. 68% of breaches involve non-malicious human actions, which means these incidents are preventable through better training.
But "better training" doesn't mean more PowerPoint slides or longer videos. It means:
- Realistic scenarios that mirror actual attack techniques
- Active decision-making under realistic conditions
- Immediate feedback that reinforces correct behaviors
- Spaced practice over time for lasting retention
- Adaptive difficulty that meets learners where they are
- Measured outcomes that demonstrate real behavior change
At EUDRI, every feature of our training simulators is grounded in randomized controlled trial research, cognitive science, and systematic reviews of what actually changes behavior. We don't just help you check a compliance box. We help you build a security-aware culture that genuinely reduces your organization's risk.
Because when 68% of breaches involve the human element, investing in evidence-based human training isn't optional. It's the highest-return security investment you can make.
References & Further Reading
- Verizon 2024 Data Breach Investigations Report
- IBM Cost of a Data Breach Report 2024
- FBI IC3 2024 Annual Report on Internet Crime
- Yeo & Banfield (2022): Healthcare Data Breach Analysis
- Check Point: Alarming Surge in Compromised Credentials
- Human-Centric Cybersecurity Framework Research
- Systematic Review: Behavioral Theories in Cybersecurity
- RCT Study: Security Awareness Training Effectiveness
