New Research Reveals Why CISOs Are Rethinking Cyber Security Awareness In 2026

There’s been a shift happening in cyber security for a few years now, and most CISOs have felt it in one way or another. Many have tried to work around it, adjusting programmes, adding new tools, refining messaging, but it’s getting harder to ignore that something more fundamental needs to change.

The way we’ve been approaching security awareness no longer matches the way risk happens.

In our recent report, Rethinking Human Cyber Risk: How CISOs can transform security awareness training to drive measurable risk reduction, based on research with 200 CISOs across the UK and Europe, this shift comes through clearly. 78% say they want to rethink their approach to security awareness. Not tweak it or improve it slightly, but properly change it. That naturally raises the question of why now, especially when awareness has been a core part of security strategies for so long.

The answer sits in a combination of factors that have been building over time. Threats have evolved quickly, expectations from leadership have increased, and the gap between what awareness programmes deliver and what organisations actually need has become much more visible/

It’s becoming clear that this isn’t about making small improvements to our existing programmes and controls, but something more fundamental. For many organisations, that means rethinking the model entirely and taking a different approach to cyber security awareness.

The Threat Landscape Has Changed Faster Than Awareness

The nature of cyber threats today looks very different to what many security awareness programmes were originally designed for. Attacks are no longer easy to spot or limited to generic phishing emails. They’re more targeted, more convincing, and far more aligned to how people actually work.

Artificial intelligence has accelerated this shift. It’s now possible to generate messages that sound natural, reflect tone accurately, and reference real-world context, making them much harder to detect. In fact, 46% of CISOs who feel less confident in managing human cyber risk than they did a year ago point directly to AI-enabled social engineering as a key reason. At the same time, social engineering has become more sophisticated, using publicly available information to create scenarios that feel familiar and credible.

This creates a challenge because employees are often relying on guidance that was built for a different type of threat. Recognising poor grammar or suspicious formatting is no longer enough when the message looks and sounds legitimate. As a result, the gap between security awareness training and reality continues to widen, even in organisations that are investing heavily in awareness.

Why Traditional Awareness Approaches Are Struggling

“74% of CISOs say their reporting produces dashboards, but not enough clarity to make better decisions”

Most organisations have put significant effort into security awareness over the years, but the way success is measured hasn’t changed at the same pace. Completion rates, policy sign-offs, and phishing simulation results still form the backbone of many programmes, with 70% of CISOs saying their measurement systems rely on these activity-based metrics. The challenge is that they don’t always reflect how people behave in real situations, which is why 74% say their reporting produces dashboards, but not enough clarity to make better decisions.

There’s a difference between understanding what good security behaviour looks like and applying it in the moment, particularly when someone is busy, under pressure, or dealing with competing priorities. Awareness programmes often sit outside of that reality, delivered as standalone activities rather than something embedded into day-to-day decision making.

There’s also the issue of relevance. Generic security awareness training can raise baseline knowledge, but it rarely reflects the specific risks individuals face in their roles. Someone working in finance, HR, or IT will encounter very different scenarios, yet they’re often given the same training content. Over time, that disconnect makes it harder to influence behaviour in a meaningful way, which is reflected in the data, with three-quarters of CISOs saying training relevance matters more than training frequency when it comes to driving secure behaviour.

Board Expectations Are Moving Faster Than Capability

“Only 11% of CISOs can confidently link their awareness activity to reductions in incidents or near misses”

At the same time, the expectations placed on CISOs are increasing. Cyber security is now firmly positioned as a business risk, and boards want a clearer understanding of how that risk is being managed, particularly when it comes to human behaviour. In fact, 77% of CISOs say they’re now expected to prove ROI more rigorously for human risk initiatives than for technical controls, raising the bar for how awareness programmes are measured and justified.

It’s no longer enough to show that security awareness training has been completed. Leaders want to know whether it’s working, where risk is highest, and what’s being done to reduce it. That shift in expectation is happening quickly, and in many cases, it’s outpacing the capabilities of traditional awareness programmes.

This creates a difficult position for CISOs. They’re being asked to provide evidence of impact, but the metrics available don’t always tell the full story. While many organisations have access to large amounts of data, 74% say their reporting produces dashboards but not enough clarity to make better decisions, and only 11% can confidently link their awareness activity to reductions in incidents or near misses. That gap makes it much harder to demonstrate return on investment or justify further spend.

The Cost of Standing Still

Continuing with the same security awareness approach carries a growing cost, even if it isn’t immediately visible to the organisation. Incidents linked to human behaviour can lead to financial loss, regulatory scrutiny, and reputational damage, but beyond that, there’s a more subtle impact on how security functions operate.

When awareness programmes don’t fully influence behaviour, security teams often compensate elsewhere. That can mean adding more controls, increasing monitoring, or responding more frequently to incidents that could have been prevented earlier. Over time, this creates additional pressure on resources and limits the ability to focus on longer-term improvements.

There’s also a strategic risk in falling behind. As threats continue to evolve, organisations that don’t adapt their approach to awareness will find it increasingly difficult to close the gap. What feels manageable today can quickly become a much larger issue as complexity increases.

Rethinking Cyber Security Awareness for Today’s Threat Landscape

It’s clear that many CISOs recognise the need for change, with 79% saying they want to adopt a more strategic approach to managing human risk. The question is what that looks like in practice, and how cyber security awareness needs to evolve to support it.

Evolving doesn’t mean starting from scratch, and it doesn’t mean removing security awareness training altogether. It’s about shifting the focus from measuring activity to measuring behaviour, and from one-off interventions to something more continuous and embedded in how people work.

This requires understanding how people make decisions in real scenarios, where those decisions introduce risk, and how that risk changes over time. It also means moving towards more contextual and role-specific approaches, where training reflects the situations individuals are likely to encounter.

For many organisations, this requires a different way of thinking about awareness. It becomes less about delivering content and more about creating an environment where secure behaviour is easier, more intuitive, and better supported. That shift allows CISOs to move beyond surface-level metrics and gain a clearer view of how risk develops across the organisation.

A Defining Moment for Cyber Awareness

The reason 2026 feels different is because several pressures have come together at the same time. Threats are more advanced, expectations are higher, and the limitations of existing approaches are becoming harder to ignore. AI is accelerating that pressure, with 46% of CISOs who feel less confident in their security approach than they did 12 months ago citing AI-enabled social engineering as a key driver.

CISOs already recognise the need for change, but the opportunity now is to turn that recognition into action. Organisations that evolve their approach will be better positioned to understand and reduce human risk, while those that continue with the same model may find it increasingly difficult to keep up.

This isn’t about reacting to a single trend. It’s about responding to a broader shift in how cyber risk develops and how it needs to be managed.

How MetaCompliance Can Help

At MetaCompliance, we focus on the behaviours that sit behind security risk, not just the completion of training programmes.

Cyber awareness needs to reflect how people work, how decisions are made under pressure, and where risk is most likely to appear. That means moving beyond traditional approaches and building security programmes that provide real insight into behaviour, not just activity.

We help organisations understand where human risk exists, how it evolves, and what practical steps can be taken to reduce it over time. By combining behavioural insight with targeted, relevant training, we enable security leaders to demonstrate measurable impact and build stronger, more resilient organisations.

If you’re rethinking your approach to cyber security awareness in 2026, now is the time to take that next step.

Read our latest report to explore how leading organisations are already starting to rethink human risk.