Mark stared at his monitor, watching another “critical” alert join the flood of notifications already drowning his dashboard. Beside him, his colleagues scrolled through similar screens with the glazed eyes of people who’ve seen this movie too many times before. They all knew the drill: investigate, categorize, prioritize, document, escalate, and then — most likely — watch as the findings disappeared into the void of “acceptable risk.”
This is the daily reality in cybersecurity. We acknowledge the need for better protection while simultaneously clinging to the comfortable familiarity of outdated approaches. Our industry has created a paradox where we’re running faster and faster just to stay in place.
The Uncomfortable Truth About Our Security Posture
Let’s face it: defenders are losing.
The latest Verizon Data Breach Investigations Report analyzed an astonishing 30,458 security incidents and 10,626 confirmed breaches in 2023 — a two-fold increase over 2022 [¹]. The exploitation of vulnerabilities as an initial attack vector saw a 34% increase, with a significant focus on zero-day exploits targeting perimeter devices and VPNs [²].
These aren’t just numbers. They’re a stark illustration of our collective failure.
While organizations invest billions in cybersecurity — with worldwide spending projected to reach $219 billion in 2023, according to Gartner — the return on that investment seems questionable at best [³]. IBM’s Cost of a Data Breach Report 2024 highlights that the global average cost of a data breach reached $4.45 million, a 10% increase over the previous year and the highest total ever recorded [⁴].
What’s more telling is that 68% of breaches, whether they include a third party or not, involve a non-malicious human element — someone making an error or falling prey to a social engineering attack [⁵]. This percentage remained virtually unchanged from the previous year, suggesting our approaches to human-centered security are failing to move the needle.
The Innovation Gap
The uncomfortable truth is that attackers innovate daily while defenders largely reiterate.
As Ross Anderson pointed out in his seminal paper “Why Information Security is Hard — An Economic Perspective,” this is partly an economic problem [⁶]. The incentives in cybersecurity are fundamentally misaligned. Defenders must protect an ever-expanding attack surface with finite resources, while attackers need only find a single vulnerability.
The defense space is cluttered with what security expert Bruce Schneier has called “security theater” — measures that make us feel more secure without actually improving security. We’ve created an industry of bandage solutions that address symptoms rather than root causes.
Consider our approach to incident detection. The CISA 2024 Year in Review notes that organizations take an average of 55 days to remediate 50% of critical vulnerabilities following the availability of patches [⁷]. Meanwhile, the median time for detecting the mass exploitation of vulnerabilities on the internet is just five days. That’s a 50-day window during which attackers operate with relative impunity.
The AI Inflection Point
At a recent cybersecurity conference, I heard a researcher predict that with the advent of AI, traditional security measures could be rendered largely ineffective within five years. Given the current trajectory, this might be optimistic.
The 2024 Trend Micro Midyear Cybersecurity Threat Report details how threat actors are already leveraging AI to create “fast, evasive, and sophisticated threats and campaigns” [⁸]. As AI capabilities advance, we can expect attack sophistication to increase exponentially while the cost of launching these attacks decreases.
Meanwhile, our defensive AI remains largely reactive — automating existing processes rather than reimagining them. We’re building AI SOC analysts when, as Andrew Odlyzko argued in “Cryptographic abundance and pervasive computing,” the main constraint on security is sociological, not technological [⁹]. We still haven’t solved the human element of security, yet we’re layering AI on top of fundamentally flawed processes.
Starting From First Principles
If we want to have any chance in this fight, we need to start fresh. We need to strip away our traditional assumptions and approach cybersecurity from first principles.
John Adams’ work on risk management suggests that organizations tend to be more risk-averse than rational economic considerations would dictate [¹⁰]. This risk aversion leads to security decisions that emphasize compliance over actual security efficacy.
The OECD’s “Economics of Malware” research reinforces this point, highlighting how “many instances of what could be conceived as security failures are in fact the outcome of rational economic decisions, reflecting the costs and benefits perceived by the actors” [¹¹]. We’re making economically rational decisions within a broken framework.
What would cybersecurity look like if we rebuilt it from scratch today? It probably wouldn’t include:
- Perimeter-focused defenses in a world where the concept of a perimeter has dissolved
- Password-based authentication despite decades of evidence showing its ineffectiveness
- Threat detection systems that generate thousands of alerts while missing the most critical breaches
- Security awareness training that treats humans as a problem to be managed rather than a resource to be leveraged
The Path Forward
I don’t have all the answers — no one does. But I know we need to start asking different questions.
Instead of asking, “How do we detect more threats?” perhaps we should ask, “How do we design systems that are resilient despite inevitable compromises?” or even “How can we actually see what our networks are doing in a meaningful way?”
Instead of asking, “How do we prevent human error?” we might ask, “How do we design human-centered security that works with our psychology instead of against it?”
The 2025 Verizon DBIR found that organizations that used security AI and automation extensively in prevention saved an average of $2.22 million in breach costs compared to those that didn’t deploy these technologies [¹²]. But technology alone isn’t the answer. We need a fundamental rethink of our approach.
As Andrew Odlyzko noted, “A key problem with strong information security in an office environment is that it would stop secretaries from forging their bosses’ signatures” [¹³]. Security that doesn’t accommodate how people actually work is doomed to fail.
Breaking the Cycle
The cycle can be broken. The 2024 Data Breach Investigations Report notes a hopeful sign: 20% of individuals recognized and reported phishing in simulated exercises, and 11% of individuals who clicked a malicious email reported it [¹⁴]. We’re seeing small improvements in human-centered security awareness.
But these incremental improvements won’t be enough if we’re facing exponential increases in threat sophistication. We need to fundamentally reimagine cybersecurity.
This doesn’t mean throwing away everything we’ve learned. It means examining our assumptions, challenging our traditions, and being willing to rebuild from the ground up. It means being willing to admit that much of what we’re doing isn’t working.
The fears we have and the assumptions we protect are just as much the enemy as the attackers who exploit them. Until we’re willing to confront those fears and question those assumptions, we’ll continue to fall behind while running in place.
The paradox of cybersecurity is that to move forward, we first need to step back. We need to question everything — not out of pessimism, but out of a genuine desire to find better answers to the challenges we face.
Are we ready to do that? The increasing breach statistics suggest we don’t have much choice.
[¹]: Verizon. (2024). 2024 Data Breach Investigations Report.
[²]: Verizon. (2025). 2025 Data Breach Investigations Report. https://www.verizon.com/about/news/2025-data-breach-investigations-report
[³]: Gartner. (2022). Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021. https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-managem
[⁴]: IBM. (2024). Cost of a Data Breach Report 2024. https://www.ibm.com/reports/data-breach
[⁵]: Security Magazine. (2024). Verizon 2024 Data Breach Report Shows the Risk of the Human Element. https://www.securitymagazine.com/articles/100629-verizon-2024-data-breach-report-shows-the-risk-of-the-human-element
[⁶]: Anderson, R. (2001). Why Information Security is Hard — An Economic Perspective.
[⁷]: CISA. (2024). 2024 Year in Review. https://www.cisa.gov/about/2024YIR
[⁸]: Trend Micro. (2024). Pushing the Outer Limits: Trend Micro 2024 Midyear Cybersecurity Threat Report. https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/pushing-the-outer-limits-trend-micro-2024-midyear-cybersecurity-threat-report
[⁹]: Odlyzko, A. (2000). Cryptographic abundance and pervasive computing. http://www-users.cse.umn.edu/~odlyzko/doc/crypto.abundance.txt
[¹⁰]: Adams, J. (1999). Cars, Cholera, and Cows: The Management of Risk and Uncertainty.
[¹¹]: OECD. (2008). Economics of Malware: Security Decisions, Incentives and Externalities. https://www.oecd-ilibrary.org/science-and-technology/economics-of-malware_241440230621
[¹²]: IBM. (2024). Cost of a Data Breach Report 2024. https://www.ibm.com/reports/data-breach
[¹³]: Odlyzko, A. (2000). Cryptographic abundance and pervasive computing. http://www-users.cse.umn.edu/~odlyzko/doc/crypto.abundance.txt
[¹⁴]: Help Net Security. (2024). 2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element. https://www.helpnetsecurity.com/2024/05/02/verizon-2024-data-breach-investigations-report-dbir/
