Data Shows 10% of Employees Account for 73% of Observed Cyber Risk Behaviours

A new data-driven analysis from the 2025 State of Human Risk Management Insight Report reveals that risky cybersecurity behaviour in enterprises is highly concentrated. Across 122 organizations and over 400 million user behaviour signals, just 10% of employees were responsible for 73% of all observed risk events. This includes behaviours such as unsafe browsing, insecure credential handling, and repeated engagement with phishing simulations—activities that significantly elevate organizational exposure.

The study also found that traditional security awareness training detects only about 12% of these risky actions. In contrast, more advanced behavioural monitoring programs identified and acted on a much broader range of signals. Contrary to common assumptions, in-office employees exhibited higher risk rates than remote or part-time staff. The findings reinforce the need for targeted, data-informed risk mitigation strategies that focus on specific user behaviours rather than uniform policy enforcement.

www.livingsecurity.com/2025-huma…