-Content by CyberNewswire-
Living Security, the global leader in Human Risk Management (HRM), today released the 2025 State of Human Cyber Risk Report, an independent study conducted by leading research firm Cyentia Institute. The report provides an unprecedented look at behavioural risk inside organisations and reveals how strategic HRM programmes can reduce that risk 60% faster than traditional methods.
Drawing on behavioural data from more than 100 enterprises and hundreds of millions of user events, the study offers a first-of-its-kind, data-driven map of where cyber risk actually lives in the workforce and how leading organisations are shrinking it. The report confirms a long-suspected but rarely proven reality: a small fraction of employees (just 10%) are responsible for 73% of risky behaviour.
According to the findings, it’s clear that protecting the enterprise in 2025 means managing people, not just systems.
“Security teams have always known the human factor plays a critical role in breaches, but they’ve lacked the visibility to act on it,” said Ashley Rose, CEO and Co-founder of Living Security. “Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it.”
Key Findings From The Report
- Human risk is concentrated, not widespread: Just 10% of employees are responsible for nearly three-quarters (73%) of all risky behaviour
- Visibility is alarmingly low: Organisations relying solely on security awareness training (SAT) have visibility into only 12% of risky behaviour, compared to 5X that for mature HRM programmes
- Risk is often misidentified: Contrary to popular belief, remote and part-time workers are less risky than their in-office peers
- HRM works: Companies using Living Security’s Unify platform cut their risky user population by 50% and reduced high-risk behaviour duration by 60%
From Awareness to Action: Making Human Risk Measurable
Unlike traditional reports that focus on external threats or compliance audits, the 2025 State of Human Cyber Risk Report centers on internal risk behaviours and how they change with the right interventions.
The report includes:
- A detailed breakdown of what constitutes human risk across behaviours, events, and attributes
- Analysis of how risk is distributed across roles, industries, and access levels
- Persona-based insights using behavioural alignment models
- Proof that HRM initiatives, especially behaviour-triggered action plans, dramatically reduce organisational risk exposure
A Call to Cybersecurity Leaders
With budgets tightening and threats evolving, the stakes are clear: cybersecurity can no longer rely on awareness alone. Leaders must prioritise behavioural visibility, targeted action, and ROI-driven results.
“Cybersecurity is no longer just about technology, it’s about behaviour,” said Rose. “If we don’t understand who our riskiest users are, why they’re at risk, and how to help them improve, we’ll continue chasing symptoms instead of solving the root problem.”
Looking Ahead
These findings come at a time when AI agents and digital co-workers are entering the enterprise and the attack surface is evolving fast. As pioneers in Human Risk Management, Living Security sees this evolution clearly: the future of cyber resilience isn’t just about managing human risk, it’s about managing behavioural risk, wherever it originates.
This report not only celebrates measurable progress on the human side, but also signals what comes next: a future where enterprises govern both humans and agents through shared visibility, standards, and accountability.
About the Report
The 2025 State of Human Cyber Risk Report was produced in partnership with the Cyentia Institute using anonymised data from Living Security’s Unify platform over the last several years. It reflects hundreds of millions of real-world user events and decisions, collected and analysed to provide a clear picture of how human risk shows up, and how it can be reduced.
-This is a paid press release published via CyberNewswire-