Companies Should Tell Workers It’s OK to Confess to Security Mistakes, Stanford Professor Says

  • 88% of data breaches are caused by human error
  • Employees between the ages of 18 and 30 are five times more likely to admit to errors that compromised cybersecurity
  • IT reps can leverage integrated Risk Management and Analytics to address misconfigurations and vulnerabilities, including human-triggered ones


A new study indicates that nine in 10 data breaches are caused by mindset lapses, pinning the root cause of almost all cyber incidents on insiders. Stanford University Professor Jeff Hancock believes employees are reluctant to admit to their errors if employers judge them too harshly.

The report, Psychology of Human Error, combines survey data and insights from Hancock, a professor of communication, to explain the mindset behind human lapses. Its authors hope the results can help businesses understand how to prevent incidents from happening so they can’t turn into breaches.

According to the study, 88% of data breaches are caused by human error outright. Nearly half of the employees in Tessian’s survey say they are “very” or “pretty” certain they have made a mistake at work that had security repercussions for themselves or their company.

Employees between the ages of 18 and 30 were five times more likely to admit to errors that compromised cybersecurity, versus just 10% of workers over 51. Professor Hancock proposes this may be because younger workers are actually more aware that they have made a mistake while older generations place more importance on self-presentation and respect in the workplace.

“They may be more reluctant to admit they’ve made a mistake because they don’t want to ‘lose face.’ Businesses, therefore, need to de-shame the reporting of mistakes,” Hancock reasoned.

One in four employees said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email, versus just 17% of women. Older employees were the least susceptible to phishing scams, with just 8% of workers over 51 saying they had clicked on a phishing link.

Researchers suggest companies might need to tailor security training to different age groups if they want the teachings to stick. Furthermore, not all employees are cybersecurity savvy.

“Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen,” according to the report.

Other findings include:

  • 45% of respondents cited distraction as the top reason for falling for a phishing scam
  • 57% of remote workers admit they’re more distracted when working from home
  • the top reasons for clicking on phishing emails are: the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%)

According to the report, businesses must take a more humane approach to prevent mistakes from turning into serious security incidents.

Bitdefender’s answer to the problem is a wholistic one. GravityZone Elite is an integrated endpoint protection, risk management, and attack forensics platform, enhanced with user behavior risk analytics. IT reps can leverage integrated Risk Management and Analytics to continuously assess, prioritize and address misconfigurations and vulnerabilities, including human-triggered ones. Learn more here.