I’ve heard some CISOs say that mis­takes by their peo­ple is their orga­ni­za­tion’s great­est infor­ma­tion secu­ri­ty risk. I was­n’t so sure.

Because of my cur­rent role as an out­side con­sul­tant, I spend a fair amount of time mon­i­tor­ing the exter­nal envi­ron­ment and there is cur­rent­ly a great focus on exter­nal mali­cious attack. This is prob­a­bly because it’s (1) eas­i­er (and more fun) for news out­lets to report, (2) because of the wide con­sumer impact it direct­ly affects more peo­ple, and (3) it appears to be more cost­ly.

So, I did a lit­tle dig­ging and here are a few stats from two cur­rent sources that I found on the top­ic.

For exam­ple, fig­ure 5 on page 8 of the Pone­man research enti­tled “2014 Cost of Data Breach Study: Glob­al Analy­sis” shows this dis­tri­b­u­tion of threats:

• Mali­cious attack: 42%
• Human error: 30%
• Sys­tem glitch: 29% (includes both IT and busi­ness process fail­ures)

Here’s the graph­i­cal view from the same report:

By com­bin­ing the threats of errors and glitch­es you get 59%, so Pone­man’s research says mali­cious attacks are a minor­i­ty threat.

And, the 2015 PWC cyber­crime sur­vey showed (page 13) that “Employ­ees are the most-cit­ed cul­prits of inci­dents.” This is con­firmed in the 2016 edi­tion of the same report which found that “the esti­mat­ed like­ly source of secu­ri­ty inci­dents” was cur­rent employ­ees at 34% and for­mer employ­ees at 29%. Here’s a visu­al depic­tion from their 2016 report:

So, do you think errors are a greater dig­i­tal risk than cyber attack? Got any data to the con­trary?