Elevate Security today announced the release of its 3rd User Risk research study. Produced in partnership with the Cyentia Institute, and entitled, High Risk Users and Where to Find Them, the study analyzes eight years’ of Elevate User Risk data ranging from 2014 to 2022.
Elevate will host a webinar with thought leaders from Cyentia and Booz Allen Hamilton to dissect the findings, and to offer innovative approaches to addressing User Risk on Wednesday, Feb. 22, 2023 at 1:00 PM EST. Guests on the webcast include Ben Edwards, Partner & Data Scientist at Cyentia Institute, Luke Simonetti, Vice President, Cyber Strategy Solutions at Booz Allen Hamilton, and Masha Sedova, President and Co-Founder of Elevate Security.
The research determined that High Risk users represent approximately 10% of the worker population, and are found in every department and function of the organization. Additionally, the study made several unexpected discoveries including:
- Contractors are typically less likely to be High Risk than employees
- Simulated phishing is not a good indicator of who is a high risk for real phishing attacks
This latter finding may be particularly impactful. Many traditional approaches to reducing User Risk rely on simulated phishing tests as the primary factor in identifying potentially risky users, a premise that this study has now debunked.
Rather than relying on phishing simulations and user surveys, Elevate’s comprehensive User Risk model analyzes billions of independent data points from across the organization and beyond. Factors such as worker susceptibility to real phishing, sensitive data handling, safe browsing, and password management along with demographics and other characteristics are continually aggregated and updated into detailed and accurate user risk metrics.
While they make up a small percentage of the population, High Risk users represent a sizable threat to the organization. The study found that High Risk users are responsible for:
- 41% of all simulated phishing clicks
- 30% of all real-world phishing clicks
- 54% of all secure-browsing incidents
- 42% of all malware events
High Risk users were found throughout the organization, with some departments including Customer Service, R&D, and Data Analysis having more High Risk users than others.
Additionally, the study found that Managers are about 40% more likely to be High Risk than individual contributors.
“User risk driven incidents are getting worse. It’s critical for us to understand which users need more protection and to give them specific protections for the risks they run,” said Masha Sedova, Elevate co-founder and president. “Over the last six months, we’ve seen attackers target engineers with very sophisticated multi-phase social engineering campaigns at a 2.5x higher rate than they had previously. I don’t think I’m going on a limb here by saying adversaries know our people, and their weaknesses, better than we do.”
“Adding human risk to our security calculus eliminates implicit trust, continuously validates digital interactions, and provides transparent and measurable feedback to reduce security gaps over time,” said Luke Simonetti, Vice President, Cyber Strategy Solutions at Booz Allen Hamilton. “We believe the Dynamic Cyber Trust model leads to continuously increased levels of security in the face of evolving threats.”
“Risk is not uniformly distributed among organizations, that much is clear from the results of our research. In fact, some users represent orders of magnitude more risk than others,” said Cyentia Institute Partner and Data Scientist, Ben Edwards. “Understanding and applying these distinctions will lead to significant improvements in organizational security.”
The full research report is available here.
About Elevate Security
Elevate Security solves the age-old problem of worker risk. Our platform proactively safeguards an organization’s riskiest users by deeply integrating into the current technology stack to identify behaviors, attack patterns, and other characteristics that affect an individual’s risk levels. Security teams apply Elevate’s risk scoring, risk-aware interventions, to predict, personalize controls, and help prevent the next incident before it happens. To learn more, visit https://elevatesecurity.com.