Any reference to support the claim?
Not sure I can agree with “almost all the serious and successful attacks are based on this layer” without documented evidences.
It's very much obvious, no need of documents for justification.
It is pivotal to recognize that software is only as secure as the weakest link whatever may the sophistication and technology.
It is also important to recognize that any protection that technical safeguards provide can be rendered futile if people fall prey to social engineering attacks or are not aware of how to use the software.The catch 22 is that people who are the first line of defense in software security can also become the weakest link, if they are not made aware, trained, and educated in software security
Just take the example of watering hole attack, click jacking attacks, drive by download attack, phishing attacks any kind of social engineering
a report says:
90% of cyberattacks traced back to human error
While many organizations continue to focus on the technology aspect of cyber defense, which is crucial, they often do so at the expense of people risks, which represent the largest source of data breach claims.
employees or users or customers negligence or malicious acts account for two-thirds (66 percent) of cyber breaches, where by contrast only 18 percent are directly driven by an external threat, and cyber extortion accounted for just 2 percent.
A report by Vormetric found that 59% of respondents agree that most information technology security threats that directly result from insiders are the result of honest and simple mistakes, rather than the abuse of privileges.
All humans make mistakes. One of the most intriguing findings from IBM’s “2014 Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error.
Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.
I had to google OSI model 8th layer because I was scratching my head thinking "WTF is he saying? There are only 7 layers." Sure enough, someone has tried to expand it to 10 with human (8), organisation (9), and government rounding out 10. I was always of the opinion that the OSI model is clear about communications up and down the stack. 8 to 10 clearly do not communicate in the same sense at all. Hence my extreme bias as to not accept them.
Yes, watering hole hacks could be the recent focus as the bad guys want to keep shifting their attacks to try to gain ground and keep the focus off of them, just as in a chess game. Stay tuned for next months hack of the month ...
Just an analogy for the users, there is no 8th layer as such.
With all due respect, watering hole attack and human error are two different things.
When I develop any reports, documents, and course materials, I cannot just say "it is obvious ..."