When risk becomes habit: Employee behavior and organizational security
Wichtige Punkte
- A small subset of employees consistently engages in risky behavior, contributing disproportionately to organizational cybersecurity risks.
- While most employees only exhibit one type of risky behavior (e.g., falling for phishing), a few individuals repeat multiple dangerous actions (e.g., phishing, malware downloads).
- Shielding managers and high-level employees from frequent phishing attempts may be more effective than additional training.
According to “Exposing Human Risk,” human behavior is a significant and often overlooked risk factor in organizational cybersecurity. The report highlights how risky employee actions — such as falling for phishing schemes, downloading malware or violating browsing policies — can create vulnerabilities that expose businesses to cyber threats. The findings offer critical insights into how organizations can reduce risk by targeting specific employee behaviors.
Risky behavior and habitual offenders
One of the key takeaways from the study is the disproportionate impact of a small number of employees who engage in risky behaviors. These individuals, known as “habitual offenders,” account for a sizable portion of cybersecurity incidents within organizations:
- For example, 5% of employees responsible for browsing violations generated 62% of all such incidents.
- Across phishing, malware and browsing behaviors, just 5% of users accounted for 75% of the detected events.
- Just 1% of users are behind 44% of all clicked phishing emails.
What does this pattern demonstrate? Focusing on the behavior of a few high-risk users could yield substantial improvements in overall risk reduction.
Multiple risk behaviors
The research also shows that while many employees engage in just one form of risky behavior, a small group of individuals engage in multiple dangerous actions. Of the 48% of employees who demonstrated risky behaviors, most only committed one type. However, 13% engaged in two types, and less than 1% transgressed in three or more areas.
Interestingly, the highest failure rates occur with real phishing attempts rather than simulated phishing tests. Around 3% of employees failed both real and simulated phishing tests, while 1% fell for real phishing but not the simulations.
Are simulated phishing tests misleading?
There’s a stark contrast between employee responses to simulated versus real phishing attacks. Data indicates click rates for simulated phishing are much higher than for real-world attacks, which may imply that employees are better at recognizing actual phishing messages. This raises the question of whether simulated phishing tests are too complex or unrealistic, potentially misleading employees about what a real phishing attempt looks like.
The role of job function in risk exposure
Another important discovery in the study concerns how separate roles within the organization influence exposure to phishing attacks. Managers, executives, and sales personnel receive a higher volume of phishing emails due to their more public-facing roles and higher access levels. However, they tend to have lower click rates compared to other employees.
Interestingly, while managers are targeted more frequently, their higher exposure results in a higher likelihood of successful attacks, suggesting that more proactive shielding of these employees might be more effective than simply providing additional training.
The bottom line
Exposing Human Risk underscores the importance of understanding and managing human risk in cybersecurity. While external threats remain significant, the behaviors of employees — particularly those who consistently engage in risky actions — pose a persistent challenge.
By identifying high-risk users and tailoring intervention strategies, organizations can reduce their cybersecurity risks. Regular training, more accurate phishing simulations and specific shielding for high-risk roles are key steps in improving an organization’s cybersecurity posture.
To learn more about what happens when risky behaviors become habit, read the full report.
Abonnieren Sie Cyber Resilience Insights für weitere Artikel wie diesen
Erhalten Sie die neuesten Nachrichten und Analysen aus der Cybersicherheitsbranche direkt in Ihren Posteingang
Anmeldung erfolgreich
Vielen Dank, dass Sie sich für den Erhalt von Updates aus unserem Blog angemeldet haben
Wir bleiben in Kontakt!