In the recent past, one of the stumbling blocks in collecting statistics about data breaches was the unwillingness of breached entities to share information. As you can image, this could be embarrassing for the group that was breached and could be thought to lead to additional dangers, not to mention a slew of legal hoops, etc. For the past 5 or 6 years Verizon has helped a great deal with this. Verizon’s RISK (Research-Investigations-Solutions-Knowledge) team has been gathering data from contributors and studying the findings to produce their annual Data Breach Investigations Report.
The report is an interesting read and contains a lot of excellent information. One of the things that I found most interesting was the section labelled “The inevitability of the click”. This portion of the report asks how many phishing emails does an attacker need to send before they will get someone to “click” on a link or attachment in the email. The answer might surprise you.
Check out the report and other interesting reads at http://www.verizonenterprise.com/DBIR/2013/ .
*See page 38 of the report for the answer to the question.