European CISOs still see employees as top security risk

MetaCompliance has published research showing that many CISOs in Europe still see employees as their biggest security risk. The findings are based on a survey of 200 CISOs across the UK, Germany, France and Sweden.

The study found that 68% of respondents identified employees as the main source of security risk, despite organisations allocating an average of 15% of their security budgets to awareness education. It also found that 78% believe their current approach to security awareness needs to change, while 79% want to shift towards behaviour-based human risk management.

Across the four markets surveyed, many security leaders said existing programmes are not delivering the intended results. The research found that 81% believe security awareness efforts fail because they treat human cyber risk as a training issue rather than a broader risk management problem.

More frequent training also appears not to have solved the issue. According to the research, 79% of organisations deliver training at least every two weeks, yet a quarter said they struggle to capture employee attention. Another 24% said they fail to embed secure behaviour into day-to-day work, while 24% reported difficulty aligning stakeholders across functions.

The findings point to a gap between investment and outcomes. Some organisations described their current approach as behaviour-led or as including human risk management, but the survey suggests those changes have not yet reduced perceived exposure.

Pressure to rethink awareness programmes is growing as social engineering tactics become more sophisticated. In the survey, 24% of organisations said AI-enabled social engineering would be one of the main drivers of their priorities over the next year.

Security leaders also signalled support for more targeted approaches. The research found that 83% believe interventions aimed at higher-risk individuals would reduce risk faster, while 80% said security messaging is most effective when delivered in the flow of work rather than through separate training.

Shift in approach

The survey suggests CISOs are looking for methods that measure and manage employee behaviour more directly. Over the next 12 months, respondents said their main priorities would include increasing engagement frequency, demonstrating measurable return on investment and tailoring interventions to higher-risk individuals.

James Mackay, Chief Executive Officer at MetaCompliance, said: "Confidence is rising, but that doesn't mean risk is falling. Many businesses mistake completed security training for real security, when the underlying human vulnerabilities haven't changed.

"This creates a dangerous disconnect. Businesses feel more secure, yet employees remain the biggest source of risk. At the same time, threats are becoming more sophisticated, with AI accelerating the scale and precision of social engineering attacks. This is leaving organisations increasingly exposed if this gap isn't addressed."

The survey covered CISOs at companies with more than 250 employees, with 50 respondents in each of France, Germany, Sweden and the UK. All respondents were aged 30 or older.

Budget pressure

The findings also highlight a possible mismatch in spending priorities. While employee-related risk remains prominent in the responses, awareness education accounts for a relatively modest share of overall security budgets on average.

That may sharpen debate over whether organisations should spend more on staff-focused security measures or use existing budgets differently. The results suggest many CISOs see the issue less in the volume of training delivered than in the design of the approach itself.

In practical terms, that means moving away from a compliance-style model towards one that examines how staff behave, which individuals may be more exposed to risk and how messages can be delivered when they are most likely to influence decisions.

Mackay said organisations need to change how they handle the issue. "Human cyber risk needs to be treated like any other business risk - measurable, targeted, and continuously managed. That means moving beyond awareness to genuine behaviour change. Organisations need to flip the script on how they are managing cybersecurity, using real-time targeting and insight to reach the right people, with the right message, at the right moment. That's how you reduce human cyber risk at scale."