High Risk Users and Where to Find Them

The old cliché that “people are the weakest link” often leads to a cynical, “one-size-fits-all” approach to security awareness. This Cyentia study, based on eight years of telemetry from Elevate Security, flips that script by proving that most users are not inherently risky. The report rewards the click by isolating the “high risk users”—the top quartile who are responsible for a disproportionate share of security events—and identifying precisely where they are hiding in your organization chart.

The research confirms that human risk is extremely concentrated: while 76% of users have never clicked a phishing link, a tiny 4% of the workforce is responsible for 80% of all phishing incidents. This “lopsided” distribution exists across all risk categories, including malware and secure browsing. By moving from generic training to targeted interventions for this small segment, organizations can effectively reduce their overall exposure without annoying the vigilant majority.

Departmental and managerial roles also play a surprising role in risk profiles. Customer Service and R&D departments harbor a higher percentage of high-risk users than IT or the Board, likely due to the volume of external files and communications they handle. Managers, particularly in creative departments, are significantly more likely to engage in risky browsing than non-managers. This report provides the roadmap for organizations to focus their limited security resources on the “inside callers” who represent the greatest threat to business continuity.

Key Findings

• The 4/80 Phishing Rule: A mere 4% of users are responsible for 80% of all successful phishing incidents within an organization.
• 92% Malware Concentration: Just 3% of employees are behind 92% of all malware execution events observed in the dataset.
• 12.8% Risk Baseline: In a typical organization, approximately 12.8% of users cross the threshold to be categorized as “high risk”.
• Customer Service Exposure: Customer relations departments have 2.5x more high-risk users (22%) than IT departments (8.5%).
• Managerial Risk Spike: Managers in creative departments have the widest “risk gap,” with a 33% high-risk prevalence compared to 9% for non-managers in the same department.
• Contractor “Sixth Sense”: Contractors are 3x less likely to click on simulated phishing emails than full-time employees, likely due to stricter external controls and varied work environments.