High Risk Users & Where to Find Them

Garrett O’Hara, Senior Director, Sales Engineering, Mimecast APAC explores the concept of human risk in cyber security, highlighting that while 90% of breaches stem from human error, a small group of around 8% of users accounts for 80% of incidents. Traditional awareness training often fails to improve security outcomes because it focuses on completion rather than actual behaviour. Employees who pass training may still engage in risky actions, while those who fail simulations can actively report threats. This disconnect is compounded by broader organisational challenges: AI governance is lagging behind ambition, with 62% of organisations operating with basic or minimal controls and only 3% having automated decision-making for governance. These gaps leave both human and AI-driven security initiatives exposed to poor data quality and unclear accountability, underscoring the need for a data-driven approach that identifies and manages high-risk users rather than relying on blanket compliance programs.

Research shows that most…