Introduction: A Measurable Shift in Cyber Risk
Cybersecurity has long focused on hardening systems against external threats—but 2025 marks a turning point. New data shows that organizations using Human Risk Management strategies cut their population of risky users by half in just 12 months—from 43% to 21%.
This isn't a theoretical shift. It's quantifiable.
The Who Protects and Who Puts You at Risk: 2025 State of Human Cyber Risk report, a collaboration between Living Security and the Cyentia Institute, analyzed over 100 million human-centric risk signals across more than 100 organizations. The results reveal an urgent truth: the riskiest part of your environment is not your firewall—it’s your people. And now, for the first time, we have proof that human risk is both trackable and reducible.
Why the Human Layer Matters More Than Ever
Modern enterprises are more interconnected, remote, and fast-moving than ever before. While digital transformation has created new efficiencies, it has also created new gaps, ones that threat actors are eager to exploit. The human layer is where decisions get made, habits are formed, and vulnerabilities often begin.
According to the Verizon DBIR, 60–75% of data breaches involve a human element. This includes phishing, credential misuse, policy violations, and insider threats. Yet most cybersecurity risk management strategies are still rooted in control-focused paradigms. The assumption? If we train people, they’ll behave better. If we restrict access, they’ll be safe.
But the data tells a different story. Human risk is not static, nor is it solvable through blanket policies. It requires constant visibility, context-driven analysis, and timely, targeted interventions.
Defining Human Risk: Beyond Clicks and Compliance
To manage human cyber risk, we first need to understand what it is.
Human risk refers to the behaviors, exposures, and attributes of individuals that influence the likelihood and potential impact of a security incident. These factors are analyzed and quantified into a Human Risk Index (HRI) score. Human risk includes:
Most organizations today only see fragments of this picture. Awareness programs may surface phishing trends. Endpoint tools may highlight malware. But the holistic risk profile remains hidden.
This is where Living Security’s expansive library of over 200 human risk insights brings significant clarity. By integrating telemetry from multiple domains such as Identity Access Management (IAM), phishing and email, endpoint, website traffic including AI activity, and training platforms, it calculates a risk score that reflects both exposure and intent.
The Visibility Gap: Only 12% of Signals Are Seen
A major finding from the report is the vast visibility gap across enterprises. On average, organizations relying solely on traditional Security Awareness and Training (SAT) detect just 12% of the human risk signals available to them, whereas organizations who have adopted an HRM strategy and solution experience 5X greater visibility.
This shortfall is largely due to siloed tooling and lack of cross-functional integration. For example:
Without unified context, risk signals are just noise. Worse, organizations fly blind to the actual drivers of security incidents.
10% of Users Are Responsible for 73% of Risky Behavior
One of the most powerful takeaways in the report is that a small group of users disproportionately drives overall organizational risk.
The top 10% of users, in terms of risk signals, are responsible for nearly three-quarters of risky actions. This group is not always malicious, they may be contractors with less training, employees in high-pressure roles, or even high performers cutting corners to meet deadlines.
By identifying these individuals and understanding their context, organizations can apply precise coaching and corrective measures rather than broad mandates.
From Lawful Risky to Chaotic Vigilant: The Four Risk Personas
Drawing inspiration from role-playing character alignments like in Dungeons & Dragons, the report categorizes users into four types:
These personas help move beyond binary risk assessments to a more nuanced view that informs coaching, containment, or championing.
Human Risk is Role-Dependent and Industry-Specific
The report also uncovers fascinating differences in risk profiles by department and industry:
Similarly, contractors, remote workers, and long-tenured employees exhibited distinct risk tendencies. These nuances reinforce that human risk management must be tailored to context, not applied uniformly.
Success Story: Turning Insight Into Action
Consider the case of a global financial services firm with over 100,000 employees. Initially, they approached human risk management through traditional SAT programs and phishing simulations. But visibility was limited.
Upon deploying Living Security’s Unify platform, the organization uncovered a surprising trend: a large proportion of their risk was concentrated in a small segment of highly privileged contractors who worked irregular hours across regions.
Instead of issuing a sweeping policy change, they launched a contractor-specific training and access review initiative. Within six weeks, phishing reporting rates doubled, while unauthorized access attempts dropped by over 30%.
This targeted, data-driven approach exemplifies what’s possible when human risk becomes part of a strategic cybersecurity risk management program.
See more success stories
Managing Human Risk: Yes, It’s Possible (and Measurable)
The best news? Human risk isn’t just detectable. It’s manageable.
Organizations that implemented Living Security’s action plans such as targeted nudges, coaching, or access reviews saw a 60% drop in time spent in a risky state. In some categories, like data loss, the reduction was as high as 98%.
This shows that even modest interventions, when well-timed and data-driven, can move the needle significantly.
Culture Change Through Visibility and Trust
Improved visibility doesn’t just reduce incidents. It changes culture.
Security is often perceived as the "department of no" because it lacks context to engage the business. Human risk data empowers CISOs and security leaders to have constructive conversations with department heads, aligning security with performance goals.
When employees see their behavior reflected in a meaningful, fair, and non-punitive way, they become part of the solution—not the problem.
Closing the Loop on Human Risk
Ultimately, the human layer is the connective tissue of modern security. It links identity, behavior, access, and outcomes.
Managing that layer means:
This is what modern Human Risk Management platforms make possible. Not just dashboards, but a new discipline for changing how we think about, talk about, and act on human risk in cybersecurity.
Conclusion: The Future is Human-First
The Who Protects & Who Puts You at Risk, 2025 State of Human Cyber Risk report is more than a dataset—it’s a roadmap.
It shows us that risk is not just a technical problem, but a human one. It also shows that people, when supported by context and insight, are capable of incredible resilience.
Security leaders looking to future-proof their programs should no longer ask, "What are my users doing wrong?" but rather, "How can I help them do more right?"
That’s the shift from compliance to culture, from awareness to action, and from surface-level metrics to real outcomes. And it starts with visibility.
Download the full report or schedule a demo today.