Cybervize – Cybersecurity Beratung
All articles

The 95% Myth: Why Blame Games Hurt Cybersecurity

Alexander Busse·June 13, 2025
The 95% Myth: Why Blame Games Hurt Cybersecurity

The 95% Myth: Why Blame Games Undermine Cybersecurity

Today is "Blame Someone Else Day," observed annually on the first Friday the 13th of the year, commemorating Anne Moeller's overslept morning in 1982. It reminds us of that all-too-human reflex to quickly pass responsibility when things go wrong. In the realm of cybersecurity, this reflex has long become standard practice.

A frequently cited IBM study claims: "95% of all security incidents can be traced back to human error." This statistic is regularly used to place blame on employees who click on phishing emails or use weak passwords. However, this oversimplification overlooks critical factors and prevents genuine improvements in security architecture.

What the 95% Statistic Conceals

The reality of cybersecurity is more complex than a single number suggests. Security incidents almost never result from a single factor, but from the interplay of three critical layers:

Technical Layer: Unpatched Vulnerabilities

Before an employee even clicks on a suspicious link, technical oversights have often already opened the door. Unpatched security vulnerabilities in systems like Exchange servers, outdated operating systems, or misconfigured firewalls create attack vectors that exist completely independent of human behavior.

A real-world example: The ProxyLogon vulnerabilities in Microsoft Exchange servers were massively exploited in 2021, before many organizations even had time to patch. Here, the problem wasn't human error but technical response speed and infrastructure complexity.

Process Layer: Missing Structures and Responsibilities

Even when a security alert is triggered, it often fizzles out ineffectively if no clear incident response processes exist. Who is responsible? Who gets notified? What steps should be taken and in what order?

A missing or incomplete incident runbook leads to critical warnings being ignored, escalations occurring too late, or multiple teams working at cross purposes. In a complex IT landscape, documented processes, clear KPIs, and defined escalation paths are indispensable.

Human Layer: Credential Reuse and Social Engineering

Of course, humans play a role, but often under conditions the organization itself has created. Credential reuse in Single Sign-On (SSO) environments makes phishing attacks particularly convincing. When employees must or can use the same credentials for multiple services, a single compromised account becomes a master key.

Additionally, there's often a lack of regular, practical security awareness training. One-time mandatory training sessions aren't sufficient to create lasting security consciousness.

The Attack Chain: Synergy of Weaknesses

The crucial point is this: Only the synergy of these three layers (technology, process, people) creates an interlocking attack chain that enables successful cyberattacks. An attacker exploits an unpatched vulnerability, bypasses detection through missing processes, and finally uses social engineering to move laterally through the network.

Those who methodically investigate root causes unravel why the alarm clock rings but nobody responds. The question isn't "Who's to blame?" but "What system failures enabled this incident?"

Levers That Actually Work

To sustainably improve cybersecurity, organizations must address all three layers:

1. Technical Hardening: Systematically Eliminate Vulnerabilities

Patch management isn't a nuisance, it's one of the most effective security measures available. Critical updates should be deployed within a maximum of 3 days. A structured patch sprint can deliver dramatic results.

Proof point from practice: A mid-sized industrial client conducted a four-week patch sprint, systematically closing all critical vulnerabilities. The result: Attack surface reduced by 95%. Instead of hundreds of potential entry points, only a few well-monitored access points remained.

Additional technical measures:

  • Multi-Factor Authentication (MFA) for all critical systems
  • Network segmentation to impede lateral movement
  • Vulnerability scanning with automated prioritization
  • Endpoint Detection and Response (EDR) for rapid response

2. Process Excellence: Measurable Structures and Clear Responsibilities

Security requires measurable processes. Define clear KPIs such as:

  • Time to Detect an incident
  • Time to Respond
  • Patch compliance rate
  • Success rate in phishing simulations

Escalation paths must be documented and regularly tested. Who gets notified for what type of incident? Who has decision-making authority? An annual tabletop exercise helps review and improve these processes.

Create a comprehensive incident response runbook covering various scenarios (ransomware, data breach, DDoS) with concrete action steps.

3. Human Competence: Continuous Training and Awareness

Security awareness isn't a project, it's a continuous process. Effective programs are characterized by:

  • Quarterly refreshers instead of annual mandatory sessions
  • Realistic phishing simulations with constructive feedback
  • Target: Phishing success rate below 5%
  • Role-specific training for particularly exposed employees (Finance, HR, IT)

Important: Training should empower, not punish. Create a culture where employees can report suspicious emails without fearing consequences.

NIS2: Compliance as a Driver for Security Excellence

The NIS2 Directive, being implemented into national law from 2024, significantly tightens requirements. Companies in critical sectors and important industries must now meet substantially higher security standards.

The consequences of non-compliance are severe:

  • Fines up to 10 million euros or
  • 2% of global annual revenue
  • Personal liability for management

Approximately 30,000 German companies fall under the NIS2 Directive. For many, this means a fundamental rethinking of security strategy. NIS2 requires:

  • Risk management and incident response plans
  • Regular security audits
  • Supply chain security
  • Incident reporting obligations (within 24 hours)

Instead of viewing NIS2 as a compliance burden, organizations should see the directive as an opportunity for systematic improvement of their security architecture.

From Blame to System Improvement

"Blame Someone Else Day" reminds us how tempting it is to look for easy scapegoats. But in cybersecurity, this approach isn't just unproductive, it's dangerous.

Effective cybersecurity emerges not from blame but from:

  • Holistic thinking that integrates technology, process, and people
  • Measurable improvements instead of vague declarations of intent
  • Continuous evolution of security architecture
  • Positive error culture that enables learning

The 95% statistic isn't wrong, but it's incomplete. People are part of the system, but the system determines how securely people can operate.

Conclusion: Prioritization Is Key

Which layer should you prioritize this quarter? The answer depends on your current situation:

  • High number of unpatched systems? Launch a patch sprint.
  • Unclear responsibilities for incidents? Document your incident response runbook.
  • High phishing success rate? Implement a continuous awareness program.

The most important step is to actually begin and not wait for the perfect moment. Cybersecurity is a marathon, not a sprint.

Act now: Assess your current security architecture across all three layers. Define measurable goals. And above all: Stop assigning blame and start improving systems.

Which layer will you prioritize this quarter? Share your strategy with us or contact us for personalized consultation on improving your cybersecurity architecture.

Back to all articles