The Size and Shape of Workforce Risk

Security controls are often universally and indiscriminately applied, yet users vary wildly in their background, duties, and propensity for risk. This report shatters the myth that “people are the weakest link” by proving that the vast majority of employees are low risk. By analyzing 15 million unique events, we show that workforce risk is not a flat line, but a highly concentrated “lopsided” distribution.

The findings reveal a “10/73” rule for security events: a tiny minority of users is responsible for a staggering majority of trouble. For phishing, just 4% of users are responsible for 80% of all successful clicks. This report rewards the click by quantifying these “nightmare users,” showing that 1% of the workforce clicks a phishing link or downloads malware as often as once a week.

Crucially, high-risk users tend to be high-risk in multiple ways. If an employee is prone to phishing clicks, they are nearly five times more likely to also trigger malware incidents and secure browsing violations. This study provides a roadmap for organizations to move away from “one-size-fits-all” training toward targeted interventions for the 9% of employees who represent the greatest threat.

Key Findings

• The 4/80 Phishing Rule: A mere 4% of users are responsible for 80% of all recorded phishing clicks within an organization.
• Malware Concentration: Just 3% of users account for 92% of all malware download and execution events.
• The “Phishing Zero” Majority: 76% of users have never clicked a phishing link during their entire tenure with their current firm.
• Persistent Clickers: 1% of users are on a “fast track” to trouble, clicking phishing links on average once every single week.
• Cross-Category Risk: Users who are high-risk in one area are 5x more likely to be high-risk in another category, such as secure browsing.
• Control Variability: Even within a single firm, malware block rates vary wildly by department, with some departments blocking 100% and others 0%.