The state of human risk in 2026: the security effectiveness paradox

Cybersecurity budgets keep climbing. Defensive effectiveness keeps falling. And malicious insider threats keep accelerating. Something is fundamentally broken, and the answer isn't more money.

New research reveals a troubling disconnect at the heart of enterprise security. Technology effectiveness dropped from 47% to 37%. Process effectiveness fell from 43% to 35%. People effectiveness slipped from 38% to 35%. Yet despite these declines, 99% of organizations say they need even more budget. This isn't a resource problem. It's a structural one. And until leaders recognize the difference, the cycle will only get worse.

The effectiveness collapse no one wants to admit

Across every dimension of cybersecurity: technology, process, and people, effectiveness has eroded significantly. A 10-point drop in technology effectiveness is particularly damning given the billions organizations have poured into new tools, platforms, and point solutions over the past several years. Process effectiveness lost 8 points, and even the people dimension, often cited as the "last line of defense," declined by 3 points.

The result? A full 96% of organizations report incomplete protection. Not "room for improvement", but  “incomplete”. After years of compounding investment, the vast majority of security teams still can't confidently say their organizations are adequately defended.

The budget trap

Here's where the paradox sharpens. Despite measurably declining returns, virtually every organization insists it needs a bigger security budget. Specifically, 64% of surveyed organizations prioritize more cybersecurity staffing and services (the single highest spending priority) even as people effectiveness continues to drop.

The pattern is predictable: buy a tool, integrate it poorly, discover a gap, buy another tool, watch coordination worsen, repeat. Each purchase adds complexity. Each integration compounds the challenge of the last. And every new dashboard, agent, or module creates another seam for threats to slip through.

From a CFO's perspective, this is diminishing returns in its purest form. From a board's perspective, it raises an uncomfortable question: Why aren't we getting more secure?

Insider threats: the canary in the coal mine

The most alarming signal in the data isn't about technology at all. It's about people. Malicious insider activity has surged 26% in just two years, with the percentage of organizations reporting increases rising from 35% in 2024 to 42% in 2025 to 44% in 2026.

This acceleration isn't a coincidence. It's a direct consequence of the fragmentation problem. As organizations deploy more disconnected tools, visibility across those tools degrades. Security analysts spend more time correlating alerts across systems than actually responding to threats. Training programs operate independently of technical controls. HR systems don't communicate with security systems. The result is a defensive posture full of blind spots and malicious insiders are precisely the threat actor most capable of exploiting them.

At an average cost of $13.1 million per organization from roughly six monthly incidents, insider threats aren't just a security problem. They're a business-critical financial risk being made worse by the very investments meant to prevent it.

Why more tools make things worse

A staggering 65% of organizations report that integration across their security stack is complicated. That complexity isn't incidental. It's the root cause of declining effectiveness.

Every new point solution adds integration requirements that grow exponentially rather than linearly. Alert fatigue multiplies as disconnected systems each generate their own notifications without shared context. Analysts become tool operators rather than threat hunters, spending their days switching between consoles instead of investigating risks. And the human element (awareness training, behavioral signals, cultural indicators) remains siloed from the technical telemetry that should inform it.

The irony is sharp: organizations buy tools to improve security, and the act of buying more tools actively undermines it.

The structural solution

Breaking this cycle requires a fundamentally different approach, one that prioritizes integration over addition and coordination over accumulation.

A platform-based strategy that unifies email security, insider risk management, awareness training, and compliance into a single ecosystem eliminates the seams that malicious insiders exploit. Rather than adding another tool to the stack, it makes existing investments work together through deep integration, turning disconnected point solutions into a coordinated defense.

Human risk management sits at the center of this shift. By treating people not as the weakest link but as a measurable, manageable risk surface, organizations can address root causes rather than symptoms. Behavioral analytics, continuous intervention, and risk scoring replace the checkbox mentality of annual training and reactive incident response.

The results speak for themselves: organizations that have made this shift report measurable reductions in shadow AI usage, faster incident response times, and lower cost per incident, often within six months.

From spending to solving

The security effectiveness paradox won't be solved by next year's budget increase. It will be solved by leaders willing to ask harder questions: not "how much are we spending?" but "how effectively are we spending?" Not "how many tools do we have?" but "how well do they work together?"

Malicious insider acceleration is the clearest warning sign that the current approach is failing. The organizations that heed that warning, shifting from fragmented tool sprawl to integrated, human-centric platforms, won't just improve their security posture, they'll finally break the cycle of spending more to protect less.

Get more details by reading Mimecast’s The State of Human Risk 2026 report.

Challenge the security effectiveness paradox. See how Mimecast's integrated Human Risk Management Platform delivers measurable effectiveness improvements without tool sprawl. Request a demo.