[New report] 79% of CISOs are shifting towards Human Cyber Risk Management. Read the Report.

 68% CISOs still identify employees as their biggest security risk 

79% are shifting towards behaviour-based human cyber risk management, but progress isn’t keeping pace with evolving threats 

London, May 13, 2026 – EMEA CISOs are calling time on traditional security awareness training, as new research reveals that 78% believe their approach to security awareness education urgently needs to evolve. The research from MetaCompliance, the human cyber risk management company transforming how organisations build resilient security cultures, highlights the widespread concern among CISOs that current methods are failing to address human cyber risk. 

The study, which surveyed 200 CISOs across the United Kingdom, Sweden, Germany and France, found that 81% of CISOs say security awareness programmes fail because they treat human cyber risk as a training issue rather than a wider risk management challenge. At the same time, 68% of businesses identify employees as their biggest security risk, highlighting a persistent and unresolved vulnerability at the heart of enterprise security.  

Despite continued investment in awareness programmes – with organisations allocating, on average,15% of annual security budgets to awareness education and 79% delivering training at least every two weeks – outcomes remain inconsistent. A quarter (25%) of organisations say they struggle to capture employee attention, while 24% fail to embed secure behaviour into daily work, and a further 24% struggle to align stakeholders across functions. This reinforces that the challenge is as much organisational as it is behavioural. 

This disconnect is being driven by an outdated approach. While many CISOs believe their organisations have moved beyond “tick-box” awareness – with some describing their approach as behaviour-led (33%) or integrating human risk management (24%) – this perceived progress is not translating into meaningful change.  

James Mackay, Chief Executive Officer at MetaCompliance said: “Confidence is rising, but that doesn’t mean risk is falling. Many businesses mistake completed security training for real security, when the underlying human vulnerabilities haven’t changed.  

“This creates a dangerous disconnect. Businesses feel more secure, yet employees remain the biggest source of risk. At the same time, threats are becoming more sophisticated, with AI accelerating the scale and precision of social engineering attacks. This is leaving organisations increasingly exposed if this gap isn’t addressed.” 

As a result, CISOs are calling for a more strategic model. Nearly four in five (79%) want to move towards human risk management – an approach that focuses on identifying high-risk individuals and tailoring interventions based on behaviour, as well as nurturing an organisation wide, collective security culture. A further 83% believe targeted interventions would reduce risk faster, while 80% say security messaging is most effective when delivered in the flow of work. 

This shift comes as organisations face increasing pressure to modernise their defences due to the evolving threat landscape. Over the next 12 months, organisations expect to focus on increasing engagement frequency (27%), demonstrating measurable ROI (25%), and tailoring interventions to high-risk individuals (24%) – particularly in response to AI-enabled social engineering (24%).  

James Mackay adds: “Human cyber risk needs to be treated like any other business risk – measurable, targeted, and continuously managed. That means moving beyond awareness to genuine behaviour change. Organisations need to flip the script on how they are managing cybersecurity, using real-time targeting and insight to reach the right people, with the right message, at the right moment. That’s how you reduce human cyber risk at scale.” 

ENDS 

 

Methodology 

The research was conducted by Censuswide, among a sample of 200 CISOs in companies with 250+ employees (Aged 30+) across France, Germany, Sweden and the UK (50 CISOs in each market). The data was collected between 17.02.2026 – 23.02.2026. Censuswide is a member of the Market Research Society (MRS) and the British Polling Council (BPC), and a signatory of the Global Data Quality Pledge. We adhere to the MRS Code of Conduct and ESOMAR principles 

About MetaCompliance 

MetaCompliance is the human risk management company transforming how organisations build resilient security cultures. Its intelligent enterprise-ready platform combines personalised cybersecurity education, behavioural analytics and automation to measure, mitigate and manage human risk at scale. Trusted by over six million users worldwide, MetaCompliance helps global enterprises reduce risk and embed lasting behaviour change. www.metacompliance.com 

***

Press contacts