Human Error Cyber Risks Tied to Just 10% of Employees, Study Finds

A new study confirms what many cybersecurity teams have long suspected: the biggest threat may come from just a few people. According to a new report, human error cyber risks are heavily concentrated—just 10% of employees are responsible for nearly 75% of risky behavior in the workplace.

Small Group, Big Risk

The research comes from Living Security, a human risk management platform. Using data from over 100 enterprises and hundreds of millions of user events, the study found that 10% of users account for:

• Over 75% of data loss incidents
• More than 65% of malware threats
• Over 50% of phishing, identity, email, and access-related issues

CEO Ashley Rose emphasized the shift in focus:

“Cybersecurity is no longer just about technology. It’s about behavior.”

The Right Interventions Make a Difference

Living Security notes that companies that intervene effectively can cut their at-risk user population by 50% and reduce risky behaviors by 60%. The company recommends a behavioral approach that combines data, risk scoring, and targeted training.

These findings align with the World Economic Forum’s long-standing claim that 95% of cybersecurity incidents stem from human error.

Importantly, the data shows that risky behavior doesn’t usually come from one individual. Instead, it’s spread across a small population that requires ongoing monitoring and education.

Remote Workers Aren’t the Problem

Contrary to popular belief, remote and part-time workers are less risky than in-office staff.
The report, conducted by the Cyentia Institute, suggests that contractors and remote teams often face stricter security policies, such as required multi-factor authentication and mandatory training.

These measures may make remote workers more vigilant than their on-site peers.

“Four out of five employees actually reduce risk more than they create it,” the report states.

Conclusion

This new data makes it clear: human error cyber risks are highly concentrated but manageable. By focusing on the small percentage of users who consistently engage in risky behavior, companies can reduce threats without overhauling their entire workforce. The future of cybersecurity lies in managing behavior—not just technology.