The 60% problem: what 'human element' breaches actually look like
60% of breaches involve a human element. That number rolls up four very different attack patterns — and treating them as one thing is why awareness programs underperform.
If you've read any cybersecurity briefing in the last five years, you've seen some version of the line: "the human is the weakest link." The 2025 Verizon DBIR puts the percentage at roughly 60% of breaches involve a human element — a number that's stayed stubbornly stable for years.
But the headline rolls up four very different attack patterns. Treating them as one thing is exactly why most awareness programs underperform.
What "human element" actually means
In DBIR taxonomy, the human element bucket includes:
- Social engineering — phishing, pretexting, BEC, voice/SMS scams. The classic.
- Errors — misconfiguration, sending sensitive data to the wrong recipient, leaving systems exposed.
- Credential abuse — using leaked, reused, or guessed credentials to log into something they shouldn't.
- Privilege misuse — insiders intentionally or carelessly using their access in ways they shouldn't.
These four categories require completely different programs to address. A great phishing simulation program will not reduce errors. A great error-prevention program will not stop credential abuse. The "60%" is real, but it's not a single problem to solve.
The categories, ranked by what programs actually move
Social engineering: ~17% of breaches
This is the most coachable category. Realistic, varied simulation paired with adaptive training measurably reduces click rates and increases report rates over time. The DBIR notes pretexting attacks doubled this year — meaning the multi-message, contextual attacks are now where the real volume is. Programs that test only with single-message clickbait phishing are training people for last decade's attack.
Programs that work: simulation rotation across email, SMS, and voice; targeted remediation for slip-ups; positive reinforcement for reporters; metrics that include report rate, not just click rate.
Errors: ~13-15% of breaches
The hardest to address through training alone, because errors usually represent a UX or process failure, not an awareness gap. A misconfigured S3 bucket isn't a knowledge problem — it's a "the default was wrong, the warning wasn't loud enough" problem.
Programs that work: secure defaults, blast-radius design, peer review for high-risk operations, and short, situated training delivered at the moment of risk (not in a quarterly LMS module).
Credential abuse: 22% of breaches as initial access vector
This is where most security teams have already moved past awareness training and into infrastructure controls — MFA, passkeys, conditional access, behavioral analytics on logins. That's correct. But the human element doesn't disappear — it just becomes "did the user understand why MFA matters and not approve a fatigue prompt?" That's a high-value, narrow training topic.
Programs that work: MFA-fatigue simulations, push-prompt awareness, password-manager rollout campaigns, and clear "report this" reflexes for unexpected sign-in prompts.
Privilege misuse: smaller share, bigger blast radius
The least common category but often the most damaging when it does happen. Hard to address through awareness because the actor knows what they're doing. Programs here look more like clear policies, monitoring, exit procedures, and least-privilege enforcement.
Why one-size-fits-all programs fail
Most security awareness programs are built around the social-engineering category — that's the part that's most testable and most visible. They tend to assume that because they're moving phishing click rates, they're addressing "the human element" broadly. They aren't.
A program designed only for the social engineering category will not:
- Reduce misconfiguration errors
- Reduce credential reuse
- Reduce MFA fatigue
- Reduce reported-by-helpdesk insider incidents
- Move the 60% number meaningfully
The DBIR's 60% number stays roughly flat year-over-year because most organizations are running a program that targets only one quarter of it.
A better mental model
Treat the human element as four programs that share a budget, not one program. Each one has different metrics, different content, different delivery mechanics:
| Category | Primary tool | Primary metric |
|---|---|---|
| Social engineering | Simulation + training | Report rate over time |
| Errors | Secure defaults + just-in-time training | Frequency of high-risk action types |
| Credential abuse | MFA rollout + login awareness | % of users on phishing-resistant MFA |
| Privilege misuse | Policy + monitoring | Rate of policy-violating actions detected |
The 60% won't move because of a better phishing template library. It moves when programs target each of the four categories with the right tool. That's a budget conversation as much as it is a security conversation.
Sources: Verizon 2025 Data Breach Investigations Report — Executive Summary, Verizon 2025 DBIR — News Release.