Report finds 10% of staff cause 73% of risky cyber behaviour

New research from Living Security and Cyentia Institute indicates that a small proportion of employees are accountable for a significant majority of risky cyber behaviours, while most organisations remain unaware of the true scale of internal risk.

Concentration of risk

The 2025 State of Human Cyber Risk Report, based on behavioural data from more than 100 enterprises and hundreds of millions of user activities, has outlined how just 10% of employees are responsible for 73% of all risky behaviour within organisations. This concentration of risk challenges the common perception that cyber risk is broadly distributed across the workforce.

The report provides detailed insights into where cyber risk is prevalent in today's enterprises and argues for a shift from systemic defences to targeted human risk management. Ashley Rose, Chief Executive Officer and Co-founder of Living Security, commented on the findings, stating:

"Security teams have always known the human factor plays a critical role in breaches, but they've lacked the visibility to act on it. Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it."

Visibility challenges

One of the most significant takeaways from the report is the shortfall in visibility for many organisations. The analysis determined that those relying only on security awareness training (SAT) have the capacity to detect merely 12% of risky behaviour. In contrast, companies employing mature Human Risk Management (HRM) programmes detected five times as much risk.

The study also revealed that risk is often misattributed. Remote and part-time workers were found to be less risky than in-office staff, contradicting some prevailing assumptions about offsite working arrangements.

Effectiveness of targeted interventions

Living Security reports that organisations utilising its Unify HRM platform managed to reduce their population of risky users by 50% and shorten the duration of high-risk behaviour by 60%. The report suggests that behaviour-triggered interventions are notably more effective than blanket awareness campaigns.

The comprehensive study examines risk distribution by role, industry, and user access level, and provides persona-based insights using behavioural alignment models. It further concludes that targeted action plans, prompted by dynamic risk detection, can dramatically lower an organisation's exposure to internal threats.

Rose asserts that a fundamental rehabilitation of cyber risk management is required, saying:

"Cybersecurity is no longer just about technology, it's about behavior. If we don't understand who our riskiest users are, why they're at risk, and how to help them improve, we'll continue chasing symptoms instead of solving the root problem."

Changing requirements

The report comes at a time of rapidly changing enterprise environments, with AI-driven agents and digital co-workers broadening the digital attack surface. The findings recommend that security leaders transition from purely technical defences to approaches that prioritise visibility into user behaviour and enable targeted interventions.

According to the report, detecting and acting on high-risk behaviours at the user level confers significant advantages in risk reduction speed and overall organisational security posture. The full report stresses the necessity of shared visibility and accountability for both human and non-human actors operating within the enterprise.

The 2025 State of Human Cyber Risk Report was developed using anonymised data from the Unify platform collected over multiple years, offering a detailed look at how human risk is manifested and can be mitigated across various industries and organisational sizes.