Exposing Human Risk

In our current cybersecurity environment, where threat actors carry snazzy monikers like ‘Volt Typhoon’ and ‘Dark Scorpius’, it’s unfortunate that everyday users often get overlooked or underestimated in cyber risk assessments. But ask security leaders about what keeps them up at night—where they feel the most exposed—and it’s likely they’ll mention threats lurking inside their own organizations. This report flips the script on human risk—exposing it in order to reduce our exposure to it.

Shining the light of data from Mimecast’s expansive telemetry on what risky behavior looks like, how often it occurs, and who’s engaging in it, we find that nearly half (48%) of all employees engaged in at least one behavior that exposed their organization to cyber risk last year. The distribution of human risk is extremely “lopsided,” confirming that a small group of users accounts for the vast majority of danger. In the case of malware, just 1% of users are behind 92% of all execution events, and 5% of users are responsible for 75% of all identified risky interactions.

This report rewards the reader by identifying these high-risk profiles, showing that executives, sales teams, and members of the board are targeted with phishing far more often than their peers. Training efficacy varies based on a user’s starting propensity for risk. While low-risk users show little change, high-risk “clickers” see a 25% reduction in their click rates following targeted intervention. The data encourages a transition to a data-driven, human-centric management framework that focuses on behavioral change rather than generic awareness.

Key Findings

• The 5/75 Rule: A small minority of users—just 5%—are responsible for 75% of all detected risky events across phishing, malware, and browsing categories.
• 48% Workforce Exposure: Almost half of all employees engaged in at least one behavior (clicking phish, malware execution, or browsing violation) that exposed the firm to risk.
• 1/3 Browsing Violators: One-third of all users violated web browsing policies intended to keep them safe from malicious online content.
• 92% Malware Concentration: 1% of users are responsible for 92% of all malware download and execution events observed in the telemetry.
• Training ROI for “Clickers”: Targeted training reduces click rates by 25% for high-risk users, whereas it has zero measurable effect on those already in the low-risk category.
• Executive Phishing Targets: Executives receive the highest volume of phishing attempts, though “Lab” employees are actually the most likely to be tricked into clicking.