OWASP 2025 Exposes the Gap Between Assigned Ownership and Real Accountability

In 2025, cyber incidents became less about novel exploits and more about systemic failure. Organizations with mature toolsets continued to suffer costly breaches, regulatory penalties, and prolonged outages. The emerging pattern is consistent: responsibility is assigned, but accountability is fragmented.

Security programs frequently assign responsibility to teams—IAM, AppSec, SOC, Vendor Management—yet outcomes suggest that authority, evidence, and enforcement mechanisms are fragmented. The OWASP Top 10:2025 illustrates this shift. The most consequential risks are no longer rooted in isolated coding defects; they stem from structural weaknesses in governance and oversight.

The Cost of Breach Failure in 2025

The most expensive cyber incidents of the year were driven by:

• Weak or fragmented access governance

• Inadequate detection, escalation, and response discipline

• Third-party dependencies without enforceable security obligations

• Informal exception handling lacking documentation and review

  
  

These drivers align with broader industry findings that highlight persistent unsafe behavior, ineffective compliance execution, and the absence of structured accountability mechanisms.¹²³⁴

Top Public Breach-Related Costs Disclosed in 2025 and Their OWASP/GRC Mapping

Why This Table Matters

None of these outcomes were attributed to the absence of security tools. They were driven by unclear ownership models, weak detection accountability, undocumented exceptions, and insufficient contractual control over third parties.

Why Security Programs Continue to Fail

The persistence of these risks is not due to ignorance or lack of funding. It stems from structural weaknesses:

• Policies exist but are not enforced.

• Training is provided but not measured.

• Ownership is assigned but not empowered.

• Exceptions are granted but not recorded.

  
  

As Posey and Shoss observed, employees break cybersecurity rules not because they lack values, but because governance frameworks fail to align security requirements with real operational constraints.

What Should Have Been Done Differently

Access Control (A01)

• Formalize entitlement ownership at the business-system level.

• Enforce quarterly role attestations for high-risk access.

• Treat access exceptions as board-visible risk decisions.

  
  

Logging & Alerting (A09)

• Define detection SLAs as executive KPIs.

• Require evidence packs: alert coverage, incident simulation results, and escalation timelines.

• Align SOC metrics with enterprise risk tolerance.

  
  

Supply Chain (A03)

• Embed security obligations into contracts.

• Tier vendors by criticality with enforceable audit rights.

• Maintain dependency inventories for critical systems.

  
  

Exceptional Conditions (A10)

• Mandate fail-safe behaviors in system design.

• Incorporate exception handling into business continuity testing.

• Require documented recovery governance for all Tier-1 platforms.

Conclusion

OWASP Top 10:2025 does not demonstrate that attackers have become materially more sophisticated. It demonstrates that many organizations continue to govern cyber risk by assigning responsibility without establishing accountability.

Tools may reduce exposure, but only governance prevents repetition.

Sources & Further Reading

Regulatory fines & breach impact (2025)

¹ Fortinet. Security Awareness and Training Report (2024).

² Hornetsecurity. Security Awareness Survey: 1 in 4 Organizations Do Not Provide IT Security Awareness Training (2024).

³ Gartner. Gartner Survey Shows a Strong Ethical Culture Isn’t Enough to Stop Noncompliance (2024).

⁴ Posey, C., & Shoss, M. Understanding the “Dark Side” of Information Technology Use: Why Employees Violate Cybersecurity Policies (2018).

⁵ Irish Data Protection Commission (DPC). Enforcement actions and decisions relating to TikTok Technology Limited under the GDPR (2025).

⁶ UK Information Commissioner’s Office (ICO). Enforcement notice and monetary penalty issued to Capita plc following a cybersecurity incident (2025).

⁷ UK retail sector disclosures.Public statements and market disclosures by Marks & Spencer Group plc and Co-operative Group Limited regarding cyber incidents and operational impact (2025).

⁸ Office of the New York State Attorney General. Multi-insurer cybersecurity enforcement action relating to data protection and security control failures (2025).

⁹ U.S. Federal Trade Commission (FTC). COPPA enforcement action and settlement involving The Walt Disney Company (2025).

¹⁰ Dutch Data Protection Authority (Autoriteit Persoonsgegevens). GDPR administrative fine imposed on Experian Nederland B.V. (2025).

¹¹ UK Information Commissioner’s Office (ICO). Enforcement action relating to LastPass and data security governance deficiencies (2025).

¹² U.S. Federal Trade Commission and State Attorneys General. Enforcement action and settlement relating to Cognosphere (Genshin Impact) concerning data protection and access control deficiencies (2025).

¹³ Irish Data Protection Commission (DPC). GDPR enforcement action relating to Luka Inc. (Replika) concerning unlawful processing and monitoring controls (2025).

Security and risk frameworks

• OWASP Foundation. OWASP Top 10:2025 – Application Security Risks.