STATS for RISK based security - IT professionals listed sysadmins as the biggest threat (42%) followed by C-level executives (16%).

While these executives typically have  limited IT skills, their credentials are worth more to hackers than any  other group.

Other targets:

1. Social engineering - HR and finance departments are the easiest targets.
2. Insider risk - IT staff.

For More:
https://www.infosecurity-magazine.com/news/it-staff-blame-themselves-for/