Risky Business

Every cybersecurity leader knows that employees represent both their most critical exposure and their most valuable asset. This report meets that challenge head-on by analyzing data from the Human Risk Management (HRM) programs of over 100 organizations. It moves past generic awareness training to leverage over 200 real-time risk signals, offering a nuanced understanding of who poses a risk and who is strengthening security.

The findings reveal a “10/73” rule for human risk: just 10% of users account for a staggering 73% of all risky behavior within their organizations. Interestingly, nearly 80% of employees generate more “vigilant” than risky insights, effectively reducing exposure through positive behaviors like reporting phishing. This report rewards the click by deconstructing these user profiles, showing that remote and part-time workers are often less risky than their in-office counterparts.

Human risk management is proven to work. Organizations using Living Security’s Unify platform saw their population of risky users cut in half over a single year—from 43% to 21%. Targeted action plans are the engine of this change, reducing the time users spend in a risky state by 60% overall. This report provides the roadmap for identifying high-impact risk signals and tailoring interventions to achieve measurable reductions in human exposure.

Key Findings

• The 10/73 Rule: A small minority of users—just 10%—are responsible for 73% of all identified risky behavior across the workforce.
• 78% Vigilance Rate: Nearly 4 in 5 employees (78%) are “vigilant,” meaning they help reduce risk through positive security actions more than they contribute to it.
• HRM visibility vs. SAT: Organizations relying solely on security awareness training (SAT) see only 12% of human risk activity; mature HRM programs achieve 5x more visibility.
• 50% Reduction in Risky Users: Firms using programmatic HRM saw their risky user population drop from 43% to 21% over the course of 12 months.
• 60% Faster Remediation: Completing targeted action plans results in users spending 60% less time in a risky state.
• Data Loss Risk Reduction: Targeted action plans were most effective for data loss risks, resulting in a 98% reduction in exposure time.