Elevating Human Attack Surface Management

Human risk factors are pervasive, yet the “insider threat” archetype often overlooks the humdrum daily decisions that actually drive the majority of data breaches. By analyzing 4.5 million unique actions from 114,000 users, this report establishes that human risk played a role in 88% of the total losses from the largest cyber incidents of the last five years. It’s time to move past general awareness toward a rigorous management of the human attack surface.

The data reveals a sobering reality of organizational inevitability. While only 6% of individual phishing simulations result in a click, the statistical certainty that *someone* in the organization will take the bait is 100%. This report rewards the click by exposing the “Diminishing Returns” trap of training: users with three rounds of training show the lowest click rates, but those with five or more are actually *more* likely to click than the untrained.

Effective human risk management requires moving from “one-size-fits-all” training to adaptive security controls. Demographics and role significantly impact risk—malware infections are 10 times more likely at the bottom of the org chart than in the C-Suite. This study provides a blueprint for benchmarking human risk relative to peers and using tools like password managers, which alone can reduce malware likelihood by a factor of 19.

Key Findings

• The Billion-Dollar Human Element: Human risk factors contributed to 88% of total financial losses in extreme incidents, totaling $15 billion over five years.
• The 100% Certainty: Phishing simulations show that while individual click rates are low (6.1%), the probability of at least one organizational compromise is 100%.
• DIMINISHING RETURNS of Training: Users who completed 5+ training sessions actually had higher click rates (14.2%) than those with only one session (11.2%).
• Password Manager ROI: Active use of a password manager correlates with a 19x reduction in the likelihood of downloading or executing malware (0.4% vs 7.4%).
• Hierarchy of Risk: Malware events are 10.6% likely for employees at the bottom of the org chart, compared to nearly 0% for the top 10% (C-Suite).
• Role-Based Behavior: Managers have the highest adoption of password managers (29.9%) but are also the most likely to have overdue training (14.19 days).