The User Is Still the Weakest Link - Now What?
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.
On this episode of Secure Insights, NDK Cyber host Nick Kebbell speaks with Dune Security CEO and Co-Founder David DellaPelle about why user risk remains the most consistently exploited entry point in enterprise breaches and how AI is accelerating modern social engineering. David explains why traditional security awareness training has failed to meaningfully reduce risk and how attackers now operate with far greater speed and precision across email, voice, SMS, deepfakes, and encrypted channels.
The conversation focuses on why human behavior is often misunderstood as a training problem instead of a measurable security challenge, and how one-size-fits-all, compliance-driven programs leave enterprises exposed. David shares how quantifying user risk based on behavior and role enables security teams to focus remediation where it matters most, address the riskiest users, and reduce exposure in a way static training and testing cannot.
Nick Kebbell:
David, thank you for joining us on Secure Insights. You are the co-founder and CEO at Dune Security. Thanks very much for coming on board. I know we have tried to fit this in over the last few months, and I know you have been busy ramping up with Dune.
David DellaPelle:
Nick, thanks so much for having me today.
Nick Kebbell:
For those that do not know who Dune Security is, can you shed some light on what the company does and why you founded it?
David DellaPelle:
Thanks for that. A little over three years ago, we were looking at the problem of user behavior, specifically social engineering and insider threats. I realized that the biggest problem in cybersecurity was user behavior, which causes about 90 percent of breaches.
At the time, there was a solution on the market called security awareness training that every company was paying for, but they were not actually getting risk reduction. What they were getting was standardized testing and training, essentially a compliance checkbox.
High-risk users were not being held accountable, low-risk users were having their time wasted, and it created an adversarial relationship between the CISO and the rest of the organization. So we decided to turn the problem on its head.
We asked, what if we could take in a broad set of data about users and create a credit score of user risk for each employee, from one to one hundred, where one hundred represents the highest-risk employee in the company. What we found was that this was a much more effective way to quantify user risk, and then remediate that risk on an individual basis.
It is a strong replacement for security awareness training, but it goes far beyond that.
Nick Kebbell:
There are a lot of cybersecurity training companies on the market. How do you differ from a standard security training organization?
David DellaPelle:
Security awareness training is inherently limited because there is very little data being pulled in, and the training and testing are not specific to users.
We pull in a wide variety of risk inputs and build a credit score of user risk for each individual in the company. Every piece of training someone receives is delivered based on their risk profile and their role, and it is only delivered when it can actually be effective.
For some users, no amount of training will be effective. In those cases, we want to restrict access and lock down users.
Nick Kebbell:
When we talk about human risk, around 90 percent of incidents are still related to people. What do you see most organizations misunderstanding about human risk in cybersecurity?
David DellaPelle:
It is not just about someone clicking a phishing email in isolation. Each message needs to be hyper-specific to the individual, based on what we are seeing in the wild.
Threat intelligence needs to reflect what is happening for that role and that company. When you start to see omni-channel AI-driven attacks, including conversational two-way red teaming, you get much better data.
What is exciting and concerning is that attacks are changing dramatically. AI has rapidly reshaped the landscape. Attackers are using new technologies, and defenders need to adopt a red team posture as well.
Nick Kebbell:
You recently released the 2025 Inside the Threat Intelligence Report. What prompted you to publish that research now?
David DellaPelle:
Only 12 percent of CISOs believe that security awareness training, as it exists today, is sufficient. We are seeing AI-personalized phishing drive three times more user interaction or failure than traditional templated phishing.
Roughly 30 percent of users who clicked on AI-personalized phishing went as far as entering their MFA, moving all the way down the kill chain. The world is getting much scarier, and the data felt both relevant and urgent to release.
Nick Kebbell:
When you talk about multi-channel attacks, what other social engineering routes are you seeing beyond email?
David DellaPelle:
It is not just email. We are seeing phishing via phone calls, including deepfakes of company leaders. We are also seeing omni-channel attacks through encrypted channels like Signal, WhatsApp, and Telegram.
Wherever users are and however they can be reached, attackers will try to break in that way.
Nick Kebbell:
If I were working in a large enterprise, would your platform assess my risk in real time and take action automatically?
David DellaPelle:
Yes. Instead of sending the same phishing email to everyone, like a generic Best Buy coupon, every user can receive a simulated attack specific to their role and company.
An accounts payable employee might receive a hyper-specific message that looks exactly like what a real attacker would send. We are racing attackers to build the best technology to identify and remediate risk.
Nick Kebbell:
Human interaction has always been the highest-risk factor. Do you see that changing?
David DellaPelle:
It is not coming down. The only way it changes is if non-human identities like AI agents start doing more work. But even then, you can socially engineer an AI agent just like a human.
Attackers will not break down the castle walls. They will go under, over, and around them.
Nick Kebbell:
How do careless behavior and manipulation break down in terms of risk?
David DellaPelle:
Authority-based attacks are far more powerful than reward-based ones. If something appears to come from a CEO or manager, it is much more effective.
Social engineering still dwarfs insider threat, but insider threat is particularly dangerous because once someone is malicious or complicit, the castle gates are open.
Only about five percent of users create the majority of risk.
Nick Kebbell:
You have spoken about the death of legacy security awareness training. When does the AI revolution truly take hold in this space?
David DellaPelle:
It is happening now. 2025 is the year security awareness training was declared broken. Anything standardized does not work anymore.
We pull in data points from across the stack, including anomalous activity and risky behavior. Once you have a full picture of user risk, you can remediate it. Only 12 percent of CISOs say their current solutions are effective.
Nick Kebbell:
Who is winning the war right now, attackers or defenders?
David DellaPelle:
Attackers have the advantage. They use open-source, non-guardrailed models. CISOs are restricted by regulations and HR constraints.
Attackers are cheap, fast, and unencumbered. CISOs need fundamentally different solutions.
Nick Kebbell:
Are enterprises still reacting rather than being proactive?
David DellaPelle:
Yes. Many organizations bring in solutions after an incident, which is often too late. CISOs need to think proactively.
Nick Kebbell:
Are budgets shifting in that direction?
David DellaPelle:
Some are, especially among innovators and visionaries, but it has not fully crossed the chasm yet.
Nick Kebbell:
You are about two and a half years in as a company. What lessons have mattered most?
David DellaPelle:
Building strong partnerships with CISOs. In our first year, I spoke with three to four hundred CISOs. Relationships matter, and insight from the market matters.
Our product roadmap has grown linearly. We have not had to pivot. We focused on quantifying user risk and reducing it automatically.
Nick Kebbell:
Looking three years ahead, what does the landscape look like?
David DellaPelle:
CISOs are starting to recognize the need for holistic user risk management, especially as non-human identities enter the workforce.
We believe Dune Security is leading this space for large enterprises. We have had strong traction and partnerships with companies like Culligan, OSF Healthcare, and Concentrics.
Nick Kebbell:
If people want to reach out or join the company, where should they go?
David DellaPelle:
We are based in New York City and hiring rapidly. The best way to reach us is through our job postings. We review every application and run a meritocratic hiring process.
Nick Kebbell:
David, thank you for sharing your journey. Wishing you continued success.
David DellaPelle:
Thanks so much, Nick. I appreciate it.
Key Takeaways
- User behavior is still responsible for the vast majority of breaches. David explains that roughly 90% of cybersecurity incidents originate from user behavior, making social engineering and insider threats the most persistent and unresolved problems in enterprise security.
- Legacy security awareness models deliver compliance, not risk reduction. Traditional programs rely on standardized testing and training that fail to hold high risk users accountable, waste time for low risk users, and often create friction between CISOs and the broader organization.
- AI has changed how social engineering works. Attackers now use AI to deliver hyper specific attacks across email, phone calls, deepfakes, and encrypted messaging, increasing speed, realism, and success rates.
- Most enterprise risk is concentrated in a small subset of users. David notes that only about 5% of users account for the majority of risk, reinforcing the need for targeted remediation instead of blanket training and controls applied across the entire workforce.
- Effective defense requires measuring individual user risk. Rather than treating all employees the same, David describes how assigning each user a risk score based on behavior and role provides a far more accurate way to understand exposure and prioritize remediation.
Featured Speakers
Never Miss a Human Risk Insights
Subscribe to the Dune Risk Brief - weekly trends, threat models,and strategies for enterprise CISOs.
FAQs
Complete the form below to get started.
The User Is Still the Weakest Link - Now What?
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.
%20(1).avif)
Dune Security and OmegaBlack Partner to Deliver Intelligence-Driven Protection for the User Layer
Threat actors are building their campaigns across the dark web long before they reach the enterprise. Dune Security and OmegaBlack are partnering to deliver layered protection that connects external exposure with user level risk scoring and automated remediation.
Never Miss a Human Risk Insights
and strategies for enterprise CISOs.
Ready to See Dune in Action?