CinchOps Alert: The Human Element in Cybersecurity – Why Just 10% of Employees Drive 73% of Cyber Risk

The cybersecurity industry has long operated under the assumption that all employees pose an equal risk to organizational security. New groundbreaking research from the Cyentia Institute and Living Security challenges this belief with data that will fundamentally change how businesses approach human risk management. Their comprehensive analysis of over 100 organizations reveals a startling truth that’s reshaping the cybersecurity field.

 The 10% Problem: A New Understanding of Human Risk Distribution

Recent research analyzing data from more than 100 organizations has uncovered a critical insight about human cybersecurity risk that challenges everything we thought we knew about employee security behavior. This comprehensive study examined over 200 real-time risk signals across diverse industries and organizational sizes, revealing patterns that will fundamentally change how businesses allocate their security resources.

• Just 10% of users are responsible for 73% of all risky behavior within their organizations
• The analysis examined over 200 real-time risk signals spanning external threat events, user behaviors, and attributes
• This finding challenges the traditional one-size-fits-all approach to security awareness training
• Security teams have been spreading resources evenly across entire workforces when they could achieve far greater impact focusing on the high-risk minority

The implications of this discovery are profound for how organizations approach cybersecurity investment and strategy. While traditional approaches spread training and resources equally across all employees, this research demonstrates that targeted interventions on a small subset of users can deliver dramatically better results than broad-based programs.

(Source: Cyentia Institute and Living Security – 2025 State of Human Cyber Risk Report)

 Beyond Traditional Training: The Evolution of Human Risk Management

Traditional security awareness training has operated on a compliance-focused model that treats all employees as equal risks, but this approach has proven inadequate in addressing the reality of how human risk actually manifests in modern organizations. The data reveals significant limitations in conventional training methods and points toward more effective, data-driven alternatives.

• Visibility into human risk activity drops to just 12% for organizations relying solely on security awareness training
• Modern HRM platforms create personalized risk profiles instead of generic training modules
• Organizations using comprehensive HRM programs routinely achieve risk visibility that’s 5x greater than security awareness training alone
• The research identifies five key categories of human risk: training compliance, phishing and email, malware threats, data loss, and identity and access management
• Identity and access management emerges as the most common risk category, while data loss incidents carry the highest potential for catastrophic impact

This enhanced visibility enables security teams to detect and respond to human-related risks before they escalate into full-scale incidents.The shift from generic compliance training to behavioral analytics represents a fundamental evolution in how organizations can protect themselves against human-driven security threats.

(Alignment profiles among industry groups – Source: Cyentia Institute and Living Security – 2025 State of Human Cyber Risk Report)

 The Surprising Reality of Employee Risk Profiles

Conventional wisdom about which employees pose the greatest cybersecurity risks has been turned upside down by this comprehensive research. The findings challenge many widely-held assumptions about remote workers, contractors, and executive-level employees, revealing counterintuitive patterns that should reshape how organizations think about risk distribution.

• Contractors and remote workers are actually less risky and more vigilant than the overall average
• Executives and tenured employees show an abnormally high proportion of security champions but also demonstrate elevated levels of unpredictable risky behavior
• The Business Services category shows the highest concentration of chaotic risky users and the lowest visibility into human risk
• Financial Services and Health Care sectors demonstrate better risk visibility and stronger employee vigilance patterns
• Almost 4 in 5 employees (78%) generate more vigilant than risky insights
• The majority of your workforce is helping to reduce exposure more than adding to it

These findings suggest that organizations need to completely reconsider their assumptions about risk distribution across different employee groups. Rather than viewing employees as primarily a security liability,the data shows that most workers are actually contributing to improved security posture when properly supported and engaged.

(Alignment profiles among employee attributes – Source: Cyentia Institute and Living Security – 2025 State of Human Cyber Risk Report)

 The Financial Impact of Human Risk Management

The economic benefits of implementing effective human risk management extend far beyond simple cost avoidance, delivering measurable improvements in security posture while providing clear return on investment. Organizations that have adopted data-driven approaches to human risk are seeing dramatic reductions in exposure time and overall risk levels.

• Users spent an average of 60% less time in a risky state after completing action plans
• Risk specific to data loss showed a 98% reduction in exposure time
• Organizations can achieve measurable improvements in their security posture by implementing data-driven approaches
• The concentration of risk in 10% of users suggests targeted interventions offer better ROI than broad-based training programs
• Mature HRM programs help organizations avoid costs associated with data breaches, regulatory penalties, and operational disruptions
• Investment in HRM technology pays dividends through reduced incident response needs and improved regulatory compliance

The research demonstrates clear evidence that human risk management isn’t just theory—it actually works in practice. When organizations can identify their riskiest 10% of users and reduce the time all users spend in risky states by more than half, the potential impact on overall security posture becomes transformational rather than incremental.

(Source: Cyentia Institute and Living Security – 2025 State of Human Cyber Risk Report)

 How CinchOps Can Help

Understanding and managing human risk represents one of the most critical challenges facing modern businesses, requiring specialized expertise and proven methodologies to implement successfully. CinchOps brings decades of IT experience to help organizations transform their approach from reactive training to proactive risk management that delivers measurable results.

• Behavioral analytics implementation to identify your highest-risk users and focus resources where they’ll have the greatest impact
• Customized training programs targeted at specific risk patterns rather than generic awareness topics
• Real-time monitoring and alerting systems that detect risky behaviors as they occur
• Integration with existing security tools to provide holistic risk visibility across your entire technology stack
• Policy development and enforcement that balances security requirements with business productivity needs
• Incident response planning that addresses both technical and human elements of security breaches
• Regular assessment and optimization of your human risk management program to ensure continued effectiveness

CinchOps helps small and medium-sized businesses implement the same data-driven human risk management strategies that large enterprises use, making these powerful approaches accessible and affordable. By identifying the 10% of users who drive the majority of risk, we enable organizations to focus their limited resources where they’ll have the greatest impact while empowering the 78% of employees who naturally strengthen security posture.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Houston Businesses Building an Effective Human Firewall: Your Organization’s First Line of Defense
For Additional Information on this topic: New Data Reveals Just 10% of Employees Drive 73% of Cyber Risk

FREE CYBERSECURITY ASSESSMENT