Living Security, the global leader in Human Risk Management (HRM), today released the 2025 State of Human Cyber Risk Report, an independent study conducted by leading research firm Cyentia Institute. The report provides an unprecedented look at behavioral risk inside organizations and reveals how strategic HRM programs can reduce that risk 60% faster than traditional methods.

Drawing on behavioral data from more than 100 enterprises and hundreds of millions of user events, the study offers a first-of-its-kind, data-driven map of where cyber risk actually lives in the workforce and how leading organizations are shrinking it. The report confirms a long-suspected but rarely proven reality: a small fraction of employees (just 10%) are responsible for 73% of risky behavior. According to the findings, it's clear that protecting the enterprise in 2025 means managing people, not just systems.

"Security teams have always known the human factor plays a critical role in breaches, but they've lacked the visibility to act on it," said Ashley Rose, CEO and Co-founder of Living Security. "Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it."

Key Findings from the Report:

• Human risk is concentrated, not widespread: Just 10% of employees are responsible for nearly three-quarters (73%) of all risky behavior.

• Visibility is alarmingly low: Organizations relying solely on security awareness training (SAT) have visibility into only 12% of risky behavior, compared to 5X that for mature HRM programs.

• Risk is often misidentified: Contrary to popular belief, remote and part-time workers are less risky than their in-office peers.

• HRM works: Companies using Living Security's Unify platform cut their risky user population by 50% and reduced high-risk behavior duration by 60%.

From Awareness to Action: Making Human Risk Measurable

Unlike traditional reports that focus on external threats or compliance audits, the 2025 State of Human Cyber Risk Report centers on internal risk behaviors and how they change with the right interventions.

The report includes:

• A detailed breakdown of what constitutes human risk across behaviors, events, and attributes

• Analysis of how risk is distributed across roles, industries, and access levels

• Persona-based insights using behavioral alignment models

• Proof that HRM initiatives, especially behavior-triggered action plans, dramatically reduce organizational risk exposure

A Call to Cybersecurity Leaders

With budgets tightening and threats evolving, the stakes are clear: cybersecurity can no longer rely on awareness alone. Leaders must prioritize behavioral visibility, targeted action, and ROI-driven results. 

"Cybersecurity is no longer just about technology, it's about behavior," said Rose. "If we don't understand who our riskiest users are, why they're at risk, and how to help them improve, we'll continue chasing symptoms instead of solving the root problem."

Looking Ahead

These findings come at a time when AI agents and digital co-workers are entering the enterprise and the attack surface is evolving fast. As pioneers in Human Risk Management, Living Security sees this evolution clearly: the future of cyber resilience isn't just about managing human risk, it's about managing behavioral risk, wherever it originates. This report not only celebrates measurable progress on the human side, but also signals what comes next: a future where enterprises govern both humans and agents through shared visibility, standards, and accountability.