The Human Factor as the Key to Information Security
More than one billion phishing emails in twelve months, generated by artificial intelligence. What Graham Stanforth shows in his presentations is enough to alarm executives. The cybersecurity expert is part of the “Information, Cyber Security and AI” Business Line at DEKRA and has been observing the threat landscape for years. Increasingly in the crosshairs of criminals: people. “Technological security measures are constantly improving because artificial intelligence helps not only attackers but also defenders,” says Stanforth. “What remains as the primary target is the human being.”
Generative AI in Security: the new risk potential of artificial intelligence
Graham Stanforth knows both cybersecurity and people. Born in the UK, he served with the Royal Corps of Signals in the British Armed Forces, where he was trained in electronic warfare. He has lived in Germany for 30 years and now resides near Cologne with his wife, two children and his dog George. Anyone who talks to him immediately notices: Graham understands how to deal with people. In his hacking shows, he demonstrates the dangers live to his audience. His approach: “Of course, you need solid content – but I have to captivate the audience, not just inform them. That’s when the message really lands.”
At the DEKRA Aviation Days 2024, he demonstrated how this works in a highly sensitive setting, which was supervised by the National Civil Aviation Authority of Germany (LBA). In the presence of representatives from the aviation industry and the German Air Force, he managed to get ChatGPT, with just a few prompts, to reveal an attack concept capable of bringing airports to a standstill. The audience was visibly shocked.
Social Engineering: the threat from AI and Hackers is real
Anyone who wants to understand what happens on the internet every second should simply open a publicly available Cyber Threat Map, Stanforth advises. These maps visualize attacks on IT systems worldwide in real time – and the figures are alarming. Security experts register almost six million attacks per hour on just one German IT provider. And these are only the attacks that have been detected and diverted into virtual traps (honeypots). Purely technical attacks – known as cyber engineering using generative AI – are indeed a threat, but according to Stanforth they can also be repelled with technical means that also implemented generative AI. “Even more dangerous, however, is social engineering, where criminals use their soft skills to gain access to systems,” says the expert. In his view, the five most dangerous types of attacks are:
| Frequency | Type of attack | |
| 1 | Phishing | Fake emails prompting recipients to click on links or open attachments |
| 2 | Cyber hacking | Technical attack exploiting system vulnerabilities |
| 3 | Deepfake | AI-generated voices/videos impersonating real people |
| 4 | USB | Infected storage devices plugged into company computers |
| 5 | BEC | Business Email Compromise (fraudsters pose as executives and initiate money transfers) |
The attackers exploit trust, helpfulness and respect for authority in four out of the five most common attack scenarios. These are not weaknesses; they are social traits. That’s why we have to empower people to see through this.
Graham Stanforth – Head of Information Security Training.
What sounds simple in theory can be difficult under stress. A call from a supposed superior, a harmless-looking email, a colleague who needs a quick favor – this is exactly what social engineering ruthlessly exploits. Stanforth’s most important message is therefore: “Information Security is everyone’s business.
EU NIS2-Directive: react quickly in an emergency
Anyone who has clicked on a phishing email despite all precautions should take action. “It’s important to report the incident immediately. That way, the damage can be contained – and you are obliged to do so,” says the expert. This is because the European NIS2 Directive has been in force in Germany since December 2025 as a matter of national law. It requires companies to report incidents to the Federal Office for Information Security (BSI) within 24 hours. A detailed report must follow after 72 hours and a final report once the issue has been resolved, hopefully within 30 days.
Phishing tests and awareness: turning people into a protective shield
With his team of DEKRA specialists, Stanforth focuses primarily on raising awareness when they conduct penetration tests on behalf of companies. As part of these tests, they send phishing test emails to employees. “We record click rates anonymously and analyze the percentages. No individual is recorded by name, but they receive an automated notification that they have clicked on a fake email.” For broadly distributed phishing campaigns, industry data shows click rates of between five and ten percent. “In our tests, click rates are 13 percent and higher.”
The DEKRA team deliberately builds clues into the test emails that point to an untrustworthy sender. For example, spelling mistakes in names or job titles. Employees’ task: to identify and report these emails.
We want people to learn. That’s how a risk factor becomes a protective shield. For that, the corporate culture has to be right. There must be no ´Wall of Shame´. Companies need a ´Wall of Fame´.
Graham Stanforth – Head of Information Security Training
For Stanforth, an aware and sensitized workforce is a key driver of greater security. In the past, phishing emails were often easy to recognize, but today artificial intelligence generates realistic-looking messages within seconds. While this leads to an arms race between attackers and defenders on the technical side, people remain the decisive variable.
Security measures: Security needs balance
The Human Factor is often underestimated when it comes to Information Security. For example, technical protection must not sabotage day-to-day work. At DEKRA, screens lock automatically after 15 minutes. “That may be a long period of time. But it makes no sense to set the interval too short,” says Stanforth, recalling a case where a company set it to two minutes. The result: employees could hardly read an email. They constantly had to log in again. So they became innovative and found that by putting analogue clocks under their computer mice – the second-hand simulated movement and the lock was completely bypassed, leaving the workstations vulnerable to attack.
Leading by example: Cybersecurity as a leadership task
The human factor is central in yet another respect. “Decision-makers are role models. When management leads by example on Information Security and takes part in training, employees follow,” says Stanforth. DEKRA has therefore anchored this function in the “PPO – People, Processes and Organization” Service Division – not as an IT issue, but as a matter of culture and organization.
What does the best possible protection against cyberattacks look like? For Stanforth, the answer is clear: “Systems must be technically state of the art and must be protected adequately using technical means. In addition, companies need a culture of learning and praise rather than blame.” Because if employees are alert, report anomalies in good time, and help each other, the human risk factor can turn into a protective shield. “This kind of culture is the goal that we live at DEKRA – and that companies need,” says the expert.
DEKRA offers expert cybersecurity testing and certification to ensure the security and compliance of products across various industries.
Learn more
Protecting privacy and data in smart devices is essential as our daily lives become more connected and digital.
Learn more