• Home
• News

A new report from Living Security and the Cyentia Institute sheds light on the real human element behind cybersecurity threats, and it’s not what most organizations expect.

The Risky Business: Who Protects & Who Puts You at Risk report analyzes data from over 100 organizations and challenges conventional thinking by revealing that a small portion of users, just 10 percent, are responsible for nearly 73 percent of all risky behavior in the enterprise.

“The riskiest users aren’t who and where you think,” the report notes. Surprisingly, remote and part-time workers are often less risky than full-time, in-office employees. Meanwhile, 78 percent of users help reduce cyber risk more than they contribute to it.

Beyond phishing: what human risk really looks like

The study argues that the traditional security focus on phishing is too narrow. Instead, it identifies risk signals tied to identity, access, behavior, and external threats. These include risky behaviors like poor credential hygiene, as well as external events such as being targeted by malware or phishing campaigns.

Interestingly, events beyond a user’s control, such as threat targeting, also shape their risk profile. That’s why the report insists that reducing human risk requires more than just better training. It demands broader visibility and smarter mitigation strategies.

Visibility is the missing piece

One of the most alarming findings is how little visibility organizations have into human risk. On average, firms detect just 43 percent of potential risky behaviors and events. For those relying solely on Security Awareness Training (SAT), that figure plummets to 12 percent.

The report ties visibility directly to integration maturity. But, even with available visibility, most organizations detect only 19 percent of all human risk events in practice, suggesting a critical detection gap.

Risk is unevenly distributed

The majority of employees are classified as “vigilant.” Using a Dungeons & Dragons-style alignment grid, the report groups users by both intent (risky vs. vigilant) and consistency (lawful vs. chaotic). It finds that 78 percent of users reduce risk, with many consistently practicing good security hygiene, such as reporting phishing, using MFA, and resetting compromised credentials.

The truly concerning group is the “chaotic risky” 8 percent. These are employees whose unpredictable behaviors and threat exposure make them difficult to manage. These users are a primary target for action plans and enhanced controls.

Myths about risky workers

Contrary to common assumptions, the report finds that contractors and remote workers are generally less risky than average. In fact, executives and tenured employees, while often acting as security champions, also show elevated levels of chaotic risky behavior.

Industry differences also emerge. Business services organizations have the highest rate of chaotic risky users and the lowest visibility into human risk. In contrast, highly regulated sectors like finance and healthcare show better visibility and stronger employee vigilance.