Verizon DBIR 2016 - Top 3 are related to humans

#1 - 40% were Web app attacks  and 817 out of 879 of them resulted from stolen credentials.

#2 - Privilege misuse (intentional)

#3 - Misc Errors (unintentional)

Check Here
https://securingthehuman.sans.org/blog/2016/05/17/2016-verizon-dbir-its-about-people