Human Cyber-Risk Report: Critical Infrastructure

This report on human risk in the critical infrastructure sector comes from an analysis of over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in Hoxhunt's security behavior change program. Critical infrastructure results are compared against the global average of all sectors.

These findings reveal how human cyber-risk can be demonstrably mitigated by a robust behavior change program in the critical infrastructure sector.

Key takeaways

• Critical infrastructure employees are unusually active and high-performing threat reporters
• Critical infrastructure’s resilience ratio is 51% higher than the global industry average
• Resilience velocity is 20% higher in critical infrastructure (i.e. organizational real threat detection rates reach a point of diminishing returns at 10 months, compared to 12)
• Training produces measurable real-life behavior change: 65.6% of active security behavior change program participants detected and reported a real threat in the previous year
• Phishing simulation reporting rates in critical infrastructure begin lower, but climb 61% higher than the global average after 12 months
• Miss rates—not interacting with a phishing simulation—start higher in critical infrastructure but, after 12 months, are 65% lower than the global average
• Phishing simulation failure rates are 5.3% in critical infrastructure, slightly above the 5.1% global average—impressive, given the higher participation rate
• The most effective type of phishing attack—spoofed internal organizational communications—induces an 11.4% higher failure rate with critical infrastructure than the global average
• Marketing and communications departments in critical infrastructure have the highest phishing simulation failure rates, similar to the global trend, but their failure rate is higher
• Sales departments in critical infrastructure have lower failure rates than all other industries

‍