By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
TL;DR: Risky employee behaviors — clicking a phishing link, reusing a weak password, sharing a restricted file — remain the leading cause of cybersecurity breaches, with human error involved in roughly 68 percent of incidents according to Verizon’s Data Breach Investigations Report. Chuck Gallagher, business ethics keynote speaker, argues that cybersecurity is fundamentally an ethics problem disguised as a technology problem, and that lasting protection comes from building a culture where people own the consequences of their choices rather than outsourcing judgment to a training module.
A friend of mine runs IT for a mid-sized firm. A few months back, one of his senior accountants — a woman with twenty years at the company, a spotless record, and two grown kids — got an email that looked like it came from the CFO. The subject line said the wire needed to go today. She didn’t call to verify. She didn’t hover over the sender address. She clicked, filled in the credentials, and by the time anyone caught it, a little under $200,000 was gone. She wasn’t careless. She wasn’t lazy. She was busy, tired, and trusting. And that, right there, is the whole story of modern cybersecurity.
Why does human behavior keep breaking the security stack?
The team at Right-Hand Cybersecurity recently published a piece making a point I’ve been making on stage for years: technology can block malware, flag anomalies, and quarantine attachments, but it cannot stop a person from clicking a link they shouldn’t. As a business ethics keynote speaker, I’ve watched organizations spend millions on firewalls and endpoint detection while treating the people operating those systems as an afterthought. The numbers don’t lie. Verizon’s most recent Data Breach Investigations Report found that the human element was involved in roughly 68 percent of all breaches. Living Security and the Cyentia Institute went further — their research found that just 10 percent of users generate close to 73 percent of all risky behavior inside the average enterprise. Ten percent. That’s not a training problem. That’s a culture problem.
Right-Hand’s article makes the case for something called Human Risk Management — the idea that instead of annual check-the-box training, organizations should monitor actual behavior in real time and deliver personalized coaching the moment someone makes a risky choice. I think they’re onto something important. One of their case studies describes a U.S. financial institution that reduced sensitive data exposure incidents by 17 percent in 60 days by tying real-time alerts to targeted nudges. That’s the kind of result compliance theater has never produced. But I want to push the idea a step further, because the technology is only half the conversation.
Every click is a choice, and every choice has a consequence
I spent years working with organizations where the leaders would tell me, straight-faced, that their people knew better. And they did know better. The accountant at my friend’s firm knew better. The developer who syncs source code to a personal cloud drive knows better. The sales rep who forwards a client list to a Gmail account so they can work from home knows better. Knowing isn’t the issue. The issue is that in the moment of decision — tired, rushed, distracted, trusting — the rule gets overridden by convenience. I’ve written before about this exact pattern in my work on ethical decision-making. When a bad choice feels small, private, and forgivable, people make it. Every time.
This is why I like what Human Risk Management is trying to do. A nudge delivered in Slack five seconds after someone shares a restricted file doesn’t just teach a rule — it creates a moment of friction where reflection can happen. The employee sees, in real time, that their action mattered. Varonis reports that at the average financial services firm, roughly 11 million files are accessible to every single employee. Eleven million. When access is that wide and oversight that narrow, the only real control left is the judgment of the person sitting at the keyboard. And judgment is built through feedback, not through a once-a-year video.
Here’s where I’d challenge Right-Hand’s framing, though. Behavior change through nudges is powerful, but it’s still, at its core, a behavioral system. It treats the employee as something to be conditioned. I’d argue that what really reduces human risk over time is when people understand the ethical weight of their choices — not just the policy, but the downstream impact. A leaked client file isn’t a training metric. It’s a person’s private financial information, sitting in a criminal’s hands. When we reframe cyber hygiene as an ethical responsibility to real human beings rather than a rule to be followed, the conversation changes. Compliance becomes ownership. That shift is what I’ve seen move cultures, and it’s what I keep coming back to in my writing at ChuckGallagher.com.
The last piece, which Right-Hand gets right, is leadership. Their model brings employees, SOC teams, security leaders, and executives into the same conversation. I’ve said it a thousand times from the stage: culture is set at the top. If executives treat MFA as optional for themselves, if the CEO forwards sensitive documents to a personal email for convenience, if leadership grumbles about security as a productivity tax, the organization hears it. As a business ethics keynote speaker, I’ll tell any executive team willing to listen that the strongest thing they can do for their cyber posture is to go first. Model the behavior. Own the inconvenience. When the boss treats security as an ethical obligation rather than a nuisance, the rest of the company notices, and the 10 percent who are generating most of the risk get a whole lot smaller.
Frequently Asked Questions
What are the most common risky employee behaviors that lead to cybersecurity breaches?
The most common risky behaviors include clicking phishing links, reusing or sharing weak passwords, mishandling sensitive data, using unauthorized personal devices for work, and installing unapproved applications. Verizon’s 2024 Data Breach Investigations Report found that the human element was involved in roughly 68 percent of all breaches, with phishing alone responsible for over 70 percent of initial compromises. These behaviors are rarely malicious — they typically come from time pressure, overconfidence, or a simple lack of feedback connecting the action to its consequence.
What is Human Risk Management and how is it different from security awareness training?
Human Risk Management, or HRM, is the evolution of traditional security awareness training as defined by Forrester. Instead of delivering annual or quarterly training videos, HRM platforms integrate with tools like SIEM, EDR, DLP, and email security to monitor real user behavior and deliver personalized coaching the moment a risky action occurs. Traditional training measures completion rates, while HRM measures actual behavioral improvement and risk reduction across the organization.
Do a small number of employees really cause most of the cybersecurity risk?
Yes. A 2025 report from Living Security and the Cyentia Institute analyzing data from over 100 organizations found that approximately 10 percent of users are responsible for nearly 73 percent of all risky behavior in the enterprise. The report also found that 78 percent of users actively reduce risk through good security hygiene. This disproportionate distribution is why Chuck Gallagher, business ethics keynote speaker, argues that targeted coaching of high-risk individuals delivers far more value than generic company-wide training.
How much can an organization realistically reduce human cyber risk?
Measurable reductions happen quickly when behavior-based interventions replace generic training. A Right-Hand Cybersecurity case study documented a U.S. financial institution that reduced sensitive data exposure incidents by 17 percent within 60 days by integrating HRM tools with its existing SIEM and email security stack. With the average phishing-origin breach now costing close to $4.9 million according to IBM and Verizon reporting, even a 5 percent reduction in click rates can translate into hundreds of thousands of dollars in avoided losses.
Why is cybersecurity fundamentally an ethics issue for business leaders?
Cybersecurity is an ethics issue because every data point represents a real person whose information, livelihood, or privacy is at stake. Leaders who treat security as a compliance box rather than an ethical duty to customers, employees, and shareholders send a signal that shortcuts are acceptable. With Varonis research showing the average financial services firm exposes 11 million files to every employee, the ethical weight of each individual’s daily choices has never been higher. Strong security culture starts with leadership modeling the behavior they expect from everyone else.
I want to hear from you on this one. If you’re a leader, where have you seen the gap between what your people know and what they actually do under pressure? If you’re an employee, what’s the nudge or the moment that actually changed how you handle sensitive information? Drop your thoughts in the comments below — I read them, and I respond. Before you go, sit with the five questions that follow. They’re the ones I’d ask any executive team before they signed off on another round of security training.
Five Questions for Further Thought and Consideration
- When was the last time your senior leadership team had to sit through the same cybersecurity training as everyone else — and did they take it seriously?
- If 10 percent of your employees are generating 73 percent of your human cyber risk, do you actually know who those 10 percent are, or are you guessing?
- What does your organization communicate, through action rather than policy, about whether speed or security wins when the two conflict?
- When an employee makes a risky choice and it doesn’t result in a breach, does anyone tell them what almost happened — or do they assume they got it right?
- If cybersecurity is an ethical duty to the people whose data you hold, how is that duty reflected in your onboarding, your performance reviews, and your leadership conversations?
Related Articles:
Rights-Based Ethics: The Floor That Stops the Drift
The Ethics of Aggregation: Why Harmless Posts Become Intelligence
