Insights
The REEF blog.
Research-backed perspectives on the human element of cybersecurity. Breach data, insurance trends, compliance, and what actually moves the needle.
Measuring training effectiveness beyond click rates
If your awareness program report leads with click rate, you're optimizing the wrong number. Six metrics that actually tell you whether your program works.
Read articleThird-party risk doubled this year — what to actually do
DBIR 2025 found third-party involvement in breaches doubled from 15% to 30%. Vendor questionnaires aren't going to fix this. Here's what works.
Read articleInsider threats: malicious vs. accidental, and why it matters
Most insider incidents aren't malicious. They're well-intentioned employees making mistakes — and the controls that catch malicious insiders barely help.
Read articleHow to brief your board on cyber risk in 2026
Boards expect cyber risk briefings to land like a financial update — concrete numbers, comparisons, and a decision to make. Most security leaders are still presenting like it's 2018.
Read articleThe 241-day breach lifecycle and the economics of early detection
It takes the average organization 241 days to identify and contain a breach. The cost difference between fast and slow detection is more than $1 million per incident.
Read articleSecurity culture vs. compliance theater
The same training program can produce a real security culture or a paperwork-compliant non-event. Here's what separates them — and why it matters for your next audit.
Read articleCredential stuffing: why password reuse is your single biggest risk
Compromised credentials were involved in 22% of breaches in the 2025 DBIR. The math behind why one leaked password becomes hundreds of breached accounts.
Read articleRansomware in 2025: the 44% finding and what it means
Ransomware showed up in 44% of breaches in this year's DBIR — up from 32%. But median ransom payments dropped, and 64% of victims paid nothing. The economics are shifting.
Read articleWhy simulation alone doesn't reduce risk
Phishing simulations measure exposure, not improvement. Programs that stop at simulation see click rates plateau within a year — and miss the attacks that actually cause losses.
Read articleSOC 2 vs. ISO 27001: picking the right compliance target
Both certifications signal security maturity. They're optimized for different things — and picking the wrong one for your buyers can cost a year and six figures.
Read articleCyber insurance trends 2025: what carriers actually want to see
Premiums are stabilizing after years of hard-market conditions. Carriers are getting more specific about controls — and awareness training is moving from 'nice to have' to underwriting requirement.
Read articlePretexting doubled in 2025 — what changed and what to do
Pretexting now represents about half of all social engineering attacks in the DBIR dataset. Patient, contextual attacks are the new baseline — and click-rate metrics are missing them.
Read articleThe 60% problem: what 'human element' breaches actually look like
60% of breaches involve a human element. That number rolls up four very different attack patterns — and treating them as one thing is why awareness programs underperform.
Read articleIBM's 2025 Cost of a Data Breach: what the $10.22M number really means
Global breach costs fell 9% — but US enterprises bucked the trend with a 9% increase, hitting an average of $10.22M. A closer look at where the money actually goes.
Read articleFive takeaways from the 2025 Verizon Data Breach Investigations Report
The 18th annual DBIR analyzed 22,052 incidents and 12,195 confirmed breaches across 139 countries. Five findings every security leader should be acting on now.
Read article