David DellaPelle: Hey, welcome everyone to the third Dune Security webinar. This one is titled Inside the Human Layer, where we are analyzing recent cyber attacks. I am joined here by Jeremy Livingston, who is the CISO of Stevens Institute of Technology, and Rajesh David, who is with Molex as the CISO. Do you guys want to jump in and give a quick introduction?
Rajesh David: Sure. I am really glad to be here. I have been with Molex for about a couple of years, and I am really excited to be partnering with this team and with David. I have gotten to know him over the past year, and the thought leadership he brings has been fascinating to see. He has been proactively sharing insights from the field, From The Trenches, that align with what I have been envisioning as a practicing CISO. It has been a great partnership. Thank you, David, for having me.
Jeremy Livingston: Thanks for having me. I am Jeremy Livingston. I have been a CISO for about a dozen years. I got my start in the federal government many years ago and have been focused mostly on higher education for the last six or so years. I think this is going to be really topical and I am looking forward to the discussion.
David DellaPelle: Fantastic. Let us jump right into it. We will keep this to about 30 minutes. The first topic I wanted to talk about is the rise in cybersecurity attacks that are focusing on human vulnerabilities. This is something we at Dune Security have talked about for a couple of years now, and the industry has been focused on it for well over 20 years. How have things changed in terms of human error contributing to security breaches — or more importantly, attackers deliberately targeting human vulnerabilities? I will pass it to Rajesh to start.
Rajesh David: This is my fifth time being a CISO, so I feel I have really seen our field evolve rapidly — more than any other field I have ever been part of. The one thing that has remained constant is this human vulnerability. But even with that said, with so much media and news coverage around cyberattacks and all the different ways attackers are coming at organizations, I am seeing immense fatigue among people. The human sentiment has shifted toward: I do not care about this anymore unless you make it meaningful to me, unless you tell me what is in it for me from my day-to-day operations. Traditional methods are no longer capturing attention.
I think this vulnerability in the human mind is being taken advantage of by attackers who are getting increasingly sophisticated because they have access to the same set of tools that CISOs have. They are finding ways to get into day-to-day operations, from a simple click on a phishing link to more sophisticated spoofing attacks.
On a macro level, organizations are also, through different economic cycles, shifting how much money they want to put into something they may view as inevitable. And that creates what I have read about as "big game hunting" — where, as a CISO, I have always believed you have to make attacks asynchronous in difficulty. The harder you make it for an attacker to get in or cause harm, the more they will move on and target someone else. That is a big distinction between IT and OT. Attackers have been focusing more on OT in the past couple of years because 90 percent of security budgets go toward IT. We have gotten really good at protecting IT assets but not so much OT. The shift I am seeing is that it is less about mundane phishing emails and awareness campaigns and more about managing human emotions and culture.
Jeremy Livingston: There is definitely a focus on the human element in these attacks. Almost every attack I have seen in the last few years has some human element to it. We are doing single sign-on, MFA, and we have great technical protections in place — but to get around those, attackers need to break the human element. They need someone to bypass the control or accept an MFA push, and then they are in. We are just going to keep seeing more attacks focused on exploiting the human element to get past technical controls.
David DellaPelle: Let us talk about generative AI. Obviously you have both met with countless CISOs in different forums and with your own leadership. Generative AI increases efficiency and effectiveness for business processes, but it does the same for attackers. Any thoughts on how it has changed this landscape?
Rajesh David: Generative AI is here to stay. There was a little skepticism early on about the timing, just like when cloud was first introduced or when quantum computing was first discussed. It has evolved faster than any other technology I have seen in my professional lifetime. A big part of that success goes to ChatGPT — the way OpenAI commercialized it and made it accessible to everyone. People do not say "let me Google that" anymore; they say "let me ChatGPT that." It has become synonymous with how people run their daily lives.
With that said, talking to other CISOs, the majority of us are playing a "wait and see" game. We do not want to say no to the business, because they are going to do what they want to do anyway. We have to figure out ways of partnering with them, treating this as an opportunity in disguise: understand what they are trying to do and then figure out how to enable it securely while we wait for the security market to react and truly use AI to our defensive benefit. I have not yet seen a mainstream generative AI security use case that truly counters the threats being used against us. Most of the enterprise use of AI is focused on business productivity.
Jeremy Livingston: I am using it personally as a productivity tool, and I am sure the attackers are doing the same. They are crafting better-looking emails, more convincing content. We are going to lose some of those traditional detection signals — like telling people to look for misspellings. We are going to see smarter emails from attackers going forward.
I did see an article just last week about AI-generated malware being spotted in the wild, so we may start seeing more of that. Humans could already do all of these things, but AI makes attackers more productive and more prolific.
I want to add one more thing on AI risk: I want to make sure our users are not putting sensitive research or confidential information into these tools and losing control of it. We are looking at this from a research security perspective as well — are confidential or classified materials being fed into AI tools, and do we need to set restrictions?
David DellaPelle: Enterprise accounts have become almost necessary for any generative AI usage. One of the smartest moves these AI companies have made is mandating enterprise licenses if you do not want your data trained on for the next model.
Let us dive into a specific breach. We mentioned the big game hunting strategy — focusing on high-value targets for large payouts. Social engineering is typically the initial point of entry for the attacker, who then moves laterally once they gain administrative access. The Dark Angels ransomware group did this recently in what I believe was the largest known ransomware payout: $75 million. Jeremy, what proactive measures can organizations implement to protect against these types of attacks?
Jeremy Livingston: This attack is unprecedented in the dollar amount paid. These groups are very sophisticated, doing deep research — it is not spray and pray, it is very targeted and very focused. I see the same thing in my organization. They are targeting specific executives with public profiles and sending highly relevant emails related to research we are working on. We are moving more and more into a world where attacks are going to get increasingly sophisticated and increasingly targeted at those high-value individuals.
Rajesh David: I want to add that sometimes it sounds like a catch-all phrase to say breaches are inevitable and cannot be stopped — but that does not mean CISOs should raise a white flag. What I have seen over 20 years is a seismic shift in budget allocation, with less going toward prevention and more going toward detection and response, because that is what differentiates organizations — what we now call a resiliency program. Cybersecurity has become synonymous with the question: once an incident happens, how do you minimize the impact?
That brings me to minimizing blast radius. Zero trust has been around for a while and it is a journey, a never-ending one. But specifically, organizations are getting more serious about what an attacker can actually do once inside the network — particularly around privilege escalation. Even if they do manage to escalate privileges, how much damage can they really cause? That is only possible by segmenting your network and knowing clearly what your crown jewels are, what your high-impact assets are, and securing them with everything you have. Working for Molex as a global manufacturing company, I have a clear sense of what my high-value assets are and where I need to invest.
David DellaPelle: Not every employee can be treated the same because they each have a different blast radius. Two other recent breaches worth discussing are the Proofpoint email breach and the Walt Disney breach. In both cases, hackers were able to gain access to communications channels — whether email or Slack. In the Disney case, a hacker group called NullBulge accessed Disney's internal Slack platform, which led to over a terabyte of data being leaked. How do you deal with that? How do you educate employees that what they are seeing on a secure communications channel might not actually be secure?
Rajesh David: Those are the worst kinds of breaches because you have essentially given away the keys to the kingdom. In this hyperconnected world, you cannot live without commodity tools like secure email or up-to-date endpoint protection. And when the vendors you trust are compromised, it puts enormous pressure across the chain — from your CFO questioning your investments to yourself questioning your trust in partners.
We saw this with SolarWinds, with Proofpoint, and with CrowdStrike. Many people did not realize how much of the world CrowdStrike had access to or how easily they could affect global operations. And the CrowdStrike incident caused confusion because many people initially thought it was a security breach when it was actually an outage caused by a security vendor — which itself is a lesson.
It is a wake-up call to our community. Tried and tested, simple methods are no longer working. It is almost time to pair the human element with some kind of AI model that works in tandem — allowing CISOs to take the collective signals from what the AI model is detecting and what the human element is reporting and create mechanisms to stop these threats.
I have seen cases where someone realized they received a help desk email at an unusual hour, at a time that person does not normally work, and that contextual awareness prompted them to flag it. It is simple things like that: what is the baseline behavior? How does an employee normally act? How much information is normally being generated? Having those baselines is the foundation.
Jeremy Livingston: Third-party risk is one of the big ones for me. We use third-party services for everything — HCM, finance, travel — and we put a lot of data into those third-party systems. We control the accounts to log in, but there are backend risks I may not be aware of.
An attack I recently observed was particularly interesting: an account was compromised, and then attackers used a survey tool integrated with that account to launch further phishing emails. Because the emails were coming from a legitimate survey tool we were integrated with, they looked completely legitimate — but had malicious content in them. The compromise of trusted third-party tools is just another vector attackers are using to come at organizations from unexpected directions. Training users to always be mindful — not fearful, but skeptical — even when something appears to come from a trusted source is critical. And you have to do that without slowing down the business.
David DellaPelle: Something that connects a lot of these breaches is data leakage. User data gets leaked and hackers then use that open-source data to specifically target individuals within companies. How do you monitor for that type of data leakage?
Jeremy Livingston: There are third-party tools and services we use to monitor the dark web for data leakage. What I see a lot in higher education is that we have a large student population, and students often reuse the same credentials — the same email address and password — across multiple services. When there is a breach at another organization, we suddenly start seeing attacks on student accounts at our organization using those same credentials. You have technical controls like MFA trying to prevent it, but all it takes is for a user to get tired of MFA push notifications and just hit accept. Monitoring for that kind of data breach and being proactive — notifying users, running awareness campaigns, keeping them on their toes — is essential.
Rajesh David: The hard truth of this cybersecurity function is that unless data is exfiltrated from your organization, it is not really a successful breach. There is a lot of effort that goes into — whether you are a public or private company — containing the incident, figuring out what was accessed, and critically, what was exfiltrated. Having technology that can give you confidence in whether exfiltration actually occurred, versus just access, is important.
Sitting in Europe right now, I am also seeing significant variation across countries in what you are required to report and for what kinds of data. But it all comes down to understanding what normal usage and normal traffic look like, knowing who the heavy users of certain parts of your network or applications are, and setting thresholds and baselines that will alert you to anomalies. Whether it is an insider threat case where an employee is copying files before leaving for another company, or a genuine third-party intrusion — those signals matter. The 2024 Verizon Data Breach Investigations Report shows that the majority of breaches are still system intrusions, closely followed by social engineering. People will get in. How you segment your enterprise network to minimize the impact is where the focus needs to be.
David DellaPelle: Managing the human layer and social engineering can feel complicated given the potential for sprawl in the security stack. Whether you look to an all-in-one integrated solution like Zscaler or Palo Alto, or take a best-of-breed approach — how do you manage that sprawl when it comes to managing employee risk and actually reducing it to prevent social engineering?
Rajesh David: It is a question I think about a lot. Do you go with best of breed and end up with a lot of eggs in your basket, or do you go with platformization — one big company that says trust us, it will be a one-stop shop, but you will pay handsomely for it? There is a balance to be found. It depends on what makes sense for your industry.
I have a heavy OT presence at Molex and there are only a handful of companies that really make their mark in that space, so my choices are more constrained. For the broader population, there are 35,000 vendors in the cybersecurity space right now. It becomes extremely difficult to know who to go with.
The way I think about it is: think globally — we are all connected globally — but act locally. What makes sense for that particular site, that particular employee base? Whether they are shop floor workers or executives, arm them with targeted training that is meaningful to them, not one-size-fits-all. Deliver it more often. Make it intuitive and relevant to their role. That is how the human element and technology go hand in hand.
David DellaPelle: Let us talk about specific training. Rajesh, how should training be administered? When you think about specificity of training for users in your company, what are the dimensions you consider — functional-based training, risk-based training, role-based training, levels within the company, or maybe access and permissions?
Rajesh David: In a perfect world, there needs to be a training matrix that combines all of those dimensions: the role the person is assigned to, the function they support — whether Finance, HR, or IT admin — and the level of access they have, since some roles are inherently higher risk. But before you decide what access someone gets or what training they receive, you need to understand what is meaningful to them and what their baseline looks like.
Take me as a CISO — I have inch-deep, mile-wide knowledge across many different systems. Personalizing training to me means: as I travel and speak to executives about everything from mergers and acquisitions to firewall rule sets, what are the specific things I should and should not be doing? Even at the CISO level there is no shame in acknowledging that we are all prone to errors.
Trim it down to someone in Human Resources: they have access to payroll data, personal information for new hires, all of it. I would want that person trained on specific, practical things — like when you are sending a new employee their welcome email, do not send it to their personal email address just because that is the address you have been corresponding with throughout the hiring process. How do you remove that personal email address from your Outlook so it does not auto-populate? Simple things that people do not think through.
That is what I mean by targeted training: meaningful, based on what can go wrong if they do not pay attention, and adaptive when they do make mistakes. The old 30-minute module where you watch it and that is that — it does not work. It has to be interesting, meaningful, and delivered in short bursts that keep attention. That is the way to do it.
David DellaPelle: You are touching on accountability as well. You need to understand someone's risk profile and then communicate it to them. Something we have seen at Dune Security is that it is not always ignorance about threats and social engineering — sometimes it is simply carelessness. Jeremy, what do you think are the best strategies for communicating risk profiles to individual employees and holding them accountable?
Jeremy Livingston: Rajesh laid out the framework well — establishing a baseline for everyone based on their position. The next piece is what you do based on actual behavior. If someone continually clicks phishing links and falls for every test, that person is a much higher risk than someone who never falls for it. You have to have some kind of behavior-based response.
Personally, I do not even have local admin on my own computer. I do that intentionally so I can tell people: look, I do not need it and neither do you, and we will all be safer for it. We try to trim down over-access wherever possible, limiting what users can access to reduce the blast radius. I almost assume that at any given point any individual account could be compromised, so limit what each person has access to — and then based on behavior, limit it further or introduce some kind of carrot and stick approach.
In practice, if a user correctly identifies and reports a phishing simulation to the InfoSec team, they might get a pass on completing training that cycle. If they fall for it, they get automatically assigned to training. That is a basic approach and I would love to see more nuanced options beyond it. Our information security policy does reference that violations could lead up to termination, but you want to correct behavior long before it ever reaches that point.
Rajesh David: Microsoft has taken this to a whole different level. They have made security a core responsibility of every member of the organization — not just the CISO and the InfoSec team. It is literally part of every employee's responsibilities, and there are real incentives attached to it for executives, including the possibility of losing bonuses or their position if their department consistently cuts security corners and causes incidents. The CISO is not the only one accountable.
It is a big culture shift, and it is easier for a tech company like Microsoft to do it. It is not something most organizations can adopt overnight. But it is a great model to aspire to. I am trying.
David DellaPelle: Microsoft sneezes and the world catches a cold. We are almost at time. Wrapping up — there are so many CISOs building out security awareness functions, and I think the industry has somewhat missed the point. Security awareness in isolation is not enough. What is needed is user adaptive risk management, which is what Dune Security is pioneering. We are ingesting unlimited input data about employee risk, using internal AI models to standardize and quantify that risk, reducing risk through hyper-targeted training, and actually adapting security controls around that risk — restricting permissions, turning up email filters, and so on. Jeremy, what have you seen that just does not work in traditional security awareness programs as organizations try to reduce employee risk and the risk of social engineering?
Jeremy Livingston: One of the things that kills us most is training that does not pertain to the individual. People do not find value in it. If they are going through repetitive training that is not tailored to their role or their organization — in higher education, for example, we have specific compliance requirements and ways of doing things — when you give us a flat, generic corporate training, people email me immediately saying it was a waste of their time. We take steps backward when that happens. Training has to be on point, targeted, and interesting or engaging in some way. We cannot just have boring training.
David DellaPelle: You are bringing up a super important point about messaging getting diluted. The CISO is sometimes at odds with other functional leaders — a Chief Revenue Officer who wants the email filter turned down so salespeople receive everything, or a COO trying to increase speed where security controls might slow things down. That natural tension between the CISO and other functional heads within large companies can get exacerbated when the training being sent out is not relevant, which further erodes goodwill. What we try to do at Dune is train people only on what they are actually bad at — hyper-specific to their function, role, and company — and reduce that inefficiency as a result.
Awesome. I was joined here by Rajesh David at Molex, who had to step away for a board meeting, and Jeremy Livingston at Stevens Institute of Technology — both highly reputable CISOs. Thank you so much for joining us today.
Jeremy Livingston: Thanks for having me.
Almost every modern breach has a human element, and SSO, MFA, and a strong technical stack still get bypassed when an attacker convinces the right person to accept a push or hand over a session. Generative AI has accelerated the problem: more convincing emails at higher volume, AI-generated malware, and Big Game Hunting ransomware groups targeting the organizations with the most to lose.
Rajesh David (CISO, Molex) and Jeremy Livingston (CISO, Stevens Institute of Technology) walk through the rise of AI-powered phishing and AI-generated malware, the mechanics of Big Game Hunting, real-world case studies including the Dark Angels attack and the Disney internal breach, and why real-time, user-specific defense is replacing the annual training programs.
Key Takeaways
- Generative AI has made every attacker more capable overnight. Volume is up, quality is up, and the misspellings and awkward grammar defenders used to teach employees to look for are gone. AI-generated phishing, AI-generated malware, and deepfake social engineering mean the signals your team learned to spot are no longer reliable.
- Big Game Hunting has changed the ransomware calculus. Groups like Dark Angels are not casting wide nets; they are selecting targets with the most to lose, doing the intelligence work to understand organizational structure, and using that knowledge to maximize extortion leverage. If your organization holds sensitive data or critical operations, you are a target.
- Minimize buisness impact and segment the crown jewels. Assume any account could be compromised. Reduce over-access, segment networks, and know what your high-impact assets are. Privilege escalation should not equal catastrophic loss.
- Third-party and integrated tools are a growing vector. Compromise of trusted third-party services (like survey tools, HCM, finance) lets attackers send legitimate-looking emails through trusted channels. Train users to stay skeptical even of trusted sources without slowing the business.
- Real-time, user-specific defense is replacing the annual training model. The Disney Slack breach and the Dark Angels attack both had human elements that better-timed, better-targeted awareness and dynamic access controls could have disrupted. Waiting until next year's training cycle to address the behaviors that create exposure is no longer an acceptable risk posture.
Stay Updated
Get the latest threat intelligence, research, and product updates from Dune Security.
Photo Gallery
Step into the atmosphere of our past event — watch the recap and relive the moments where cybersecurity, innovation, and community came together.
Our Latest Insights


Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security




Hitachi Digital future-proofs security training for a global workforce with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security




Phishing Didn't Leave the Inbox. It Expanded Around It.
Mobile-centric phishing carries a 40% higher success rate than email. Vishing is up 442%. Deepfake fraud is projected to hit $40 billion by 2027. The attack surface didn't shift, it expanded. Here's what that means for enterprise defense.


Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.




The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.




Inside the Human Layer
Dune Security CTO Michael Waite joins the Cyber Security Matters podcast to discuss how AI-driven social engineering is evolving, why legacy security awareness training no longer works, and how behavior-based risk quantification can better protect users from emerging threats.




Inside the Human Layer
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.




Inside the Human Layer
Dune Security CEO David DellaPelle joins the Cyber Security America podcast to explain how AI-driven social engineering is outpacing traditional security awareness training and why organizations need a behavior-driven approach to identifying and reducing user risk.




Philadelphia Area Cyber Technology Showcase & Golf Outing
Dune Security sponsored GuidePoint Security's Philadelphia Area Cyber Technology Showcase and Golf Outing, a regional gathering of cybersecurity professionals and technology partners.
.avif)
.avif)


Controlled Chaos: Enabling Innovation While Ensuring Safety & Security
GRC and security leaders from UiPath, Yugabyte, and CXD Consulting on enabling rapid innovation without losing the controls that keep the business standing.




.avif)