Press Release
78% of CISOs say C-level
do not fully understand employee-driven cyber risk
Published on: 9 Jul 2026
Nearly half of CISOs who feel less confident in their organisation’s cyber resilience cite AI-enabled social engineering as the primary reason
79% say leadership support for security awareness initiatives fades over time
68% identify employees as their organisation’s biggest security risk, as AI amplifies human-targeted attacks
London, July 9, 2026 – More than three quarters of CISOs across Europe say C-level senior decision-makers do not fully understand the cyber risk posed by employees, according to new research, at a time when AI is making human-targeted attacks more sophisticated, scalable, convincing and increasingly frequent.
The survey of 200 CISOs across the UK, France, Germany and Sweden, carried out by MetaCompliance, the human cyber risk management company, reveals a growing disconnect between the risks organisations face at the human layer and the level of senior understanding, alignment and support needed to manage them effectively.
The findings come as AI-powered attacks increasingly target employee judgement rather than technical vulnerabilities. The study shows that among CISOs who feel less confident in their organisation’s cyber resilience than they did 12 months ago, nearly half cite increasingly sophisticated AI-enabled social engineering attacks as the primary reason.
At the same time, employees remain a significant source of cyber risk. More than two thirds of CISOs continue to identify employees as their organisation’s biggest security risk, highlighting how AI is amplifying challenges that already exist within the human layer.
However, the research suggests many CISOs are trying to address this issue without consistent senior-level backing. Nearly four in five CISOs say leadership support for security education initiatives fade over time, while 76% report struggling to satisfy competing demands for human-risk metrics from different stakeholders.
Nearly a quarter also identify aligning stakeholders across different functions as one of the areas where they feel least confident when managing human cyber risk, underlining the challenge of building a joined-up approach across the business.
James Mackay, Chief Executive Officer at MetaCompliance, said: “AI has changed the context for human risk. Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale.
“That makes senior leadership alignment more important than ever. Human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk. But our research shows that many CISOs are still trying to drive change without consistent senior support, clear ownership or a shared understanding of the risk across the business.
“If leadership support fades after the initial push, organisations are left exposed. Building resilience against AI-enabled threats requires sustained executive backing, better stakeholder alignment and a more intelligent, behaviour-led approach to managing human cyber risk.”
The findings also show how AI is reshaping the threat landscape for organisations:
- More than four in ten CISOs are concerned about AI increasing the speed and impact of social engineering attacks
- While 40% fear employees are sharing sensitive information with generative AI platforms
- A further 41% are concerned about malicious insiders using AI to support fraud, cybercrime or data theft
- In the UK, concern around deepfake impersonation attacks is particularly high, with more than half of CISOs identifying it as a major threat to their organisation – the highest level recorded across all markets surveyed.
As AI-generated content becomes increasingly difficult to distinguish from legitimate communications, organisations are placing greater emphasis on strengthening their defences against human-targeted attacks. Improving resilience against AI-enabled social engineering attacks is becoming an increasing priority, with almost a quarter of CISOs identifying it as a key focus for the next 12 months.
James Mackay adds: “The organisations best placed to respond will be those that treat human cyber risk as a continuous management challenge, not a periodic training exercise.
“Employees need support in the moments where risk actually happens. That means using behavioural insight, real-time targeting and contextual guidance to help people make better security decisions as AI-enabled attacks become harder to detect.”
ENDS
Methodology
The research was conducted by Censuswide, among a sample of 200 CISOs in companies with 250+ employees (Aged 30+) across France, Germany, Sweden and the UK (50 CISOs in each market). The data was collected between 17.02.2026 – 23.02.2026. Censuswide is a member of the Market Research Society (MRS) and the British Polling Council (BPC), and a signatory of the Global Data Quality Pledge. We adhere to the MRS Code of Conduct and ESOMAR principles.
About MetaCompliance
MetaCompliance is the human risk management company transforming how organisations build resilient security cultures. Its intelligent enterprise-ready platform combines personalised cybersecurity education, behavioural analytics and automation to measure, mitigate and manage human risk at scale. Trusted by over six million users worldwide, MetaCompliance helps global enterprises reduce risk and embed lasting behaviour change. www.metacompliance.com
***
Press contacts
- MetaCompliance
- Liz Adams, Vice President, Marketing – [email protected]