Numbers hold immense influence in cybersecurity. They shape budgets, board discussions, and vendor strategies. Mohamed Mahdy, CISSP, SSCP, discusses why distorted and inaccurate information impacts the true understanding organization risk and can create a false sense of security.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
We’ve all heard the statistics: “95% of breaches are caused by human error,” or “Ransomware has jumped 500%,” or “80% of organizations now use AI for cybersecurity.” The problem is that while many of these statistics aren’t lies, they are distortions. They start as legitimate data but can morph through vague wording, biased sampling, or a bit of chart trickery. In other words, they are misleading numbers: figures that sound authoritative but are shaped to fit a narrative. A truncated chart axis or a loose definition can change how readers perceive risk, sometimes with costly consequences. Here are five occasions when, in my view, cybersecurity misinformation could have led me astray and how we can all recognize the patterns behind them.
“95% of Breaches Stem from Human Error”
This figure has been repeated so often it feels like gospel – for example, in IBM reports, UseSecure, Verizon’s Data Breach report and from the World Economic Forum. Yet when I traced it back, I considered the methodology behind its calculation to be murky. It comes from survey responses about “primary cause” categories, not forensic analysis. “Human error” is also a catch-all term, meaning everything from a mistyped command to ignoring an alert.
It’s a problem because, if I accept this stat at face value, it creates a people-blaming culture. Cybersecurity leaders might overinvest in awareness training while underfunding automation, configuration management or network segmentation — all of which prevent human errors from turning into incidents.
“Ransomware Increased 500% in a Year”
Eye-popping percentages reported in Malwarebytes reports and Sophos reports usually come from endpoint vendors counting detections, not unique attacks. It can be that, if one large ransomware campaign hits thousands of endpoints, it inflates raw detection numbers — while charts with truncated Y-axes make the spike look apocalyptic.
For me, this one is a problem because inflated growth numbers generate panic reactions. I or other cybersecurity teams might well rush to purchase “anti-ransomware” tools, rather than focus on proven fundamentals such as network isolation, least privilege and reliable backup testing. The risk is that my reaction becomes emotional, not strategic.
“80% Of Companies Now Use AI For Cybersecurity”
This one took off in 2024–2025; there are examples in multiple reports including from Arctic Wolf and Takepoint Research. In many cases, the counts included organizations using simple rule-based systems that marketers had quietly rebranded as “AI-powered.” Meanwhile, surveys often relied on 300–400 respondents, mostly in Western markets.
This one is a problem because, when my executives read that “everyone is using AI,” FOMO (Fear Of Missing Out) takes over. They want to fast-track procurement of unproven tools, sometimes without confirming technical fit or ROI. Strategy becomes a race in which the objective is to not be left behind, rather than a measured decision. We cybersecurity professionals are then left to ‘talk them down’.
“The Average Cost of a Data Breach Is $4.88 Million”
The IBM/Ponemon Cost of a Data Breach report is widely cited and can be very useful. But the “average” cost is calculated from diverse industries, geographies and breach sizes. Exploring the detail, I found it also mixes hard costs with speculative impacts like brand damage or customer churn. Median figures – when published – are usually far lower, but of course they rarely make the headlines.
My concern is that quoting inflated averages can distort investment models and insurance decisions. My executives may overestimate exposure or misallocate funds to high-cost contingencies while neglecting risk areas that actually cause more frequent operational pain.
“Phishing Caused 93% of All Successful Breaches”
This statistic, which has been referenced in Gitnux reports and Skillfloor – among other places, in my view conflates initial access with root cause. I’m well aware that, while phishing is a common entry vector, breaches rarely happen because of phishing alone: weak identity management, excessive privileges and poor segmentation are usually what permits an initial click into a crisis.
I don’t like the overstatements about the role of phishing either. If I was unable to refute such statistics, it would likely lead to overspending on email filters and awareness campaigns, with underinvestment in architectural resilience, detection maturity, or access controls that limit escalation.
How I Spot Misleading Numbers
Spotting bad data doesn’t require a statistics degree — just a disciplined mindset. Here’s my approach
- I check who sponsored the study. Marketing-driven data tells marketing-driven stories
- I look for the details obscured beneath vague terms. Phrases such “AI use” or “human error” often hide multiple interpretations
- I am skeptical of small sample sizes. A few hundred respondents rarely capture global reality
- I pay close attention to the visuals. Truncated chart axes or selective baselines are red flags
- I cross-verify. My hypothesis is that, if a trend is real, I’ll see it echoed by at least two independent sources
Critical reading like this enables me to transform statistics from scare tactics into decision support.
For practitioners, I believe the antidote to misinformation is “vigilance”. Treat every headline number as a hypothesis, not a fact. Ask for definitions, baselines and sample details before letting data drive strategy. When I scrutinize cybersecurity statistics as rigorously as I do threats, I make better decisions — and serve a more honest, resilient security community.
Mohamed Mahdy, CISSP, SSCP, has 12 years of experience in IT and cybersecurity, working in service provider, defense, governmental, financial services and other fields. He has held support, consulting and product management roles, with responsibility for implementing, supporting, solutions’ design, architect and technical marketing activities for network and application security solutions.
