For years, cyber security has wrestled with an uncomfortable contradiction. 

Employees are routinely described as the biggest risk facing organisations, yet most businesses still haven’t built the systems, support structures or operational models needed to help people behave securely in the environments they work. 

That tension sits at the heart of what many CISOs are struggling with. According to MetaCompliance research, 68% say employees are their organisation’s biggest cyber security risk. At the same time, 75% believe their employees don’t fully understand the role they play in preventing incidents, while 77% admit they lack a clear model for reducing human cyber risk. 

There’s clearly recognition that human cyber risk matters, what’s missing is the confidence in how to manage it effectively. 

Why Blame Persists 

When a cyber incident happens, it’s natural for organisations to focus on the visible moment where something went wrong. 

An employee clicked a malicious link. Someone shared sensitive information with the wrong person. A deepfake bypassed internal checks. 

The individual becomes the focal point because human actions are easier to identify than the operational weaknesses sitting behind them. It creates a simpler narrative where the problem is framed around poor choices rather than around culture, process design, competing priorities or fragmented accountability across the business. 

Many organisations also still operate within what could be described as “weakest link” thinking. Humans are seen as unpredictable compared to technical controls, so security programmes naturally focus on reducing employee error through training, awareness and policy enforcement. 

The challenge is that employees don’t operate in controlled environments, and don’t all face the same risks or pressures suggested by most security awareness training programmes. A finance employee handling invoices faces very different threats to a developer using AI tools, a senior executive travelling frequently, or a customer support team managing sensitive data at speed. 

Security decisions happen in the middle of day-to-day work, while employees balance competing priorities and judgement is often made within seconds, under pressure and without perfect information. 

That’s partly why blame has persisted for so long. Human mistakes feel tangible and immediate, while organisational shortcomings are harder to measure and often span multiple teams. 

Why Blame Fails to Reduce Risk 

Blame rarely changes behaviour in a meaningful or sustainable way. Most employees aren’t intentionally creating risk. In fact, many are trying to do the right thing while working in environments that make secure behaviour difficult to maintain. 

When organisations focus on security awareness activity without addressing the wider conditions employees operate, security training becomes something people complete rather than something that genuinely supports decision-making in high-risk moments. 

Our research suggests CISOs are becoming increasingly aware of this disconnect. 81% believe security awareness education fails because it feels too generic to be personally relevant, while 83% say they could reduce human cyber risk faster if they had better ways to prioritise who needs which intervention, and when. 

At the same time, only 24% of organisations operate a mature, integrated human risk management approach and none reported delivering dynamic awareness content tailored to the specific risks employees face day to day. 

That gap matters because awareness can only go so far when the surrounding systems are unchanged. 

Employees may understand security principles in theory, but applying them in real-world situations becomes far harder when workloads are high, processes are unclear or operational pressures reward speed over caution. 

Blame also creates unintended cultural consequences. Employees become more hesitant to report mistakes or raise concerns if they fear criticism or repercussions. Over time, that weakens the trust between security teams and the wider workforce, making risk harder to surface. 

The Behavioural Science Behind Human Cyber Risk 

One of the biggest shifts happening in cyber security is the growing recognition that behaviour is influenced by environment. 

People rarely make decisions independently of workload, culture, incentives, communication styles or operational pressure. Behavioural science has shown that humans tend to default to convenience, speed and habit when under stress or cognitive overload. 

That’s important because many organisations expect employees to identify increasingly sophisticated threats while operating in environments that make careful decision-making harder. 

AI is accelerating that challenge. Employees are now expected to recognise highly personalised phishing emails and evolving social engineering tactics while still working quickly and efficiently. 

Our research found that 46% of CISOs who feel less confident managing human cyber risk than they did 12 months ago cite AI-enabled social engineering as a key driver. Attacks are becoming more convincing, more targeted and far harder to identify in the flow of day-to-day work. 

78% of CISOs said senior decision-makers don’t fully understand the security risks posed by employees. That disconnect creates a difficult situation where responsibility for reducing human cyber risk is pushed towards individuals without enough focus on the wider organisational factors shaping behaviour. 

The reality is that employees are influenced heavily by the systems around them. If workflows are overly complex, reporting processes are unclear or productivity is consistently prioritised over security, people naturally adapt their behaviour accordingly. 

Secure behaviour becomes easier when organisations make it relevant and supported within day-to-day work. 

What a Support-Based Model Looks Like 

Forward-thinking organisations are starting to approach human cyber risk differently. 

Rather than treating employees as a source of risk to control, they’re starting to view them as participants in a wider security ecosystem that needs ongoing support and reinforcement. 

That changes how organisations think about security awareness training entirely. 

Instead of relying on broad, generic campaigns delivered uniformly across the business, security teams are moving towards more contextual and behaviour-led approaches. In fact, 81% of CISOs agree that better targeting, not more training, is the answer, while 83% say they could reduce human cyber risk faster if they had better ways to prioritise who needs which intervention, when. 

Training is becoming more role-specific and more aligned to real risk exposure. However, many organisations still struggle with visibility, with 76% of CISOs saying it remains unclear which interventions work best for different roles or risk profiles. 

These organisations are also focusing heavily on measurement and visibility. They want to understand where human cyber risk is concentrated, which behaviours create the most exposure and where additional support is needed. 

That’s where human risk management is becoming more important. 

At MetaCompliance, we see organisations moving beyond awareness activity alone and towards more mature strategies that combine behavioural insight, targeted interventions and measurable risk reduction. The focus shifts from proving training has been completed to understanding whether secure behaviour is improving over time. 

That also requires stronger alignment between security, HR, leadership and operational teams. Human cyber risk can’t sit entirely with security departments when employee behaviour is shaped by culture, systems, communication and business priorities. 

The businesses making the most progress are the ones asking different questions. Instead of focusing solely on why employees made mistakes, they’re examining what conditions made those mistakes more likely in the first place. 

Human Cyber Risk Needs a Different Mindset 

Human cyber risk isn’t going away. If anything, it’s becoming more complex and more connected to everyday business operations. 

Organisations that continue relying on blame as their primary response to cyber threat may struggle to make meaningful progress because blame doesn’t provide a roadmap for improvement.  

The organisations that mature fastest will be the ones that stop viewing employees as a problem to fix and start treating human cyber risk as a shared organisational challenge to manage collectively. 

Because blame is not a control. 

Want to explore the full findings? 

Download the full Rethinking Human Cyber Risk report to uncover how 200 CISOs across Europe are rethinking security awareness, behavioural risk and the future of human risk management.