A new study from Elevate Security, in partnership with the Cyentia Institute, has measured how much effect High Risk users have on the security of an organization.

Entitled High Risk Users and Where to Find Them, the study analyzes eight years’ of Elevate User Risk data ranging from 2014 to 2022.
The research found that High Risk users represent approximately 10% of the worker population. They are found in every department and function of the organization.
The study made several unexpected, key discoveries:
- Contractors are typically less likely to be High Risk than employees
- Simulated phishing is not a good indicator of who is a high risk for real phishing attacks
Many traditional approaches to reduce User Risk rely on simulated phishing tests as the primary factor in identifying potentially risky users. The study has debunked this premise.
The study did not rely on phishing simulations and user surveys. It used billions of independent data points from across the organization and beyond.
Factors such as worker susceptibility to real phishing, sensitive data handling, safe browsing, and password management, along with demographics and other characteristics, are continually aggregated and updated into detailed and accurate user risk metrics.
Key Findings
High Risk users represent a sizable threat to the organization. The study found that High Risk users are responsible for:
- 41% of all simulated phishing clicks
- 30% of all real-world phishing clicks
- 54% of all secure-browsing incidents
- 42% of all malware events
High Risk users were found throughout the organization. Some departments, including Customer Service, R&D, and Data Analysis, have more High Risk users than others.
The study found that Managers are about 40% more likely to be High Risk than individual contributors.
“User risk driven incidents are getting worse. It’s critical for us to understand which users need more protection and to give them specific protections for the risks they run,” said Masha Sedova, Elevate co-founder and president.
“Over the last six months, we’ve seen attackers target engineers with very sophisticated multi-phase social engineering campaigns at a 2.5x higher rate than they had previously. I don’t think I’m going on a limb here by saying adversaries know our people, and their weaknesses, better than we do.”
“Adding human risk to our security calculus eliminates implicit trust, continuously validates digital interactions, and provides transparent and measurable feedback to reduce security gaps over time,” said Luke Simonetti, Vice President, Cyber Strategy Solutions at Booz Allen Hamilton.
“We believe the Dynamic Cyber Trust model leads to continuously increased levels of security in the face of evolving threats.”
“Risk is not uniformly distributed among organizations, that much is clear from the results of our research. In fact, some users represent orders of magnitude more risk than others,” said Cyentia Institute Partner and Data Scientist, Ben Edwards.
“Understanding and applying these distinctions will lead to significant improvements in organizational security.”
Read the full report here.