CybSafe

You can’t firewall a deepfake. That’s one of the biggest takeaways from our latest report. AI-generated attacks are getting faster, smarter, and a lot more convincing. Which means the old approach to awareness? It’s struggling to keep up. “The new perimeter? Employee behavior.” That’s why Human Risk Management is climbing the priority list in 2026. Not because humans are the problem, but because humans are increasingly the difference between an attack succeeding or failing. Stats that stood out to us: 📊 47.2% believe AI will increase human cyber risk 📊 Only 12.6% feel “very prepared” for AI-related risks 📊 44.2% say AI governance will be the most important capability for security teams in 2026 The AI era is here; the question is whether security strategies can (and will) cope with it. Download the report 👇 https://lnkd.in/e3D_zfs8

“Knowledge does not automatically equal behavior change.” Honestly, that line might sum up the entire state of cybersecurity awareness in 2026. Because watching a training video and making a secure decision in a high-pressure moment are two very different things. This year’s report found: 📊 Only 22.8% are actively monitoring security behaviors 📊 11% still assess AI-related risk using training results alone 📊 A mere 12.8% are prioritizing culture change in 2026 Meanwhile, AI-generated phishing attacks are getting harder to spot by the day. So the question for security leaders is no longer: “Did people complete the training?” It’s: “Did anything actually change?” The future of cybersecurity isn’t just awareness. It’s understanding behavior. Read the full report 👇 https://lnkd.in/e3D_zfs8

Security teams in 2026: “We need stronger AI governance.” Also security teams in 2026: “We are not actually the people deciding which AI tools employees can use.” Make it make sense 🤯 Our new research found: ⚠️ 47.2% think AI will increase human cyber risk ⚠️ Only 15.6% say security teams control AI approvals ⚠️ 1 in 10 say there is literally no clear owner for AI adoption Which feels wrong on so many levels. Because if your defense strategy still relies on: “Please watch this 14-minute compliance video and then tick this box” …Houston, we may have a problem 🚀 But all is not lost. Far from it. To move forward, we suggest you check out our report, here 👇 https://lnkd.in/e3D_zfs8

High agency: the most important idea you've never heard of.

Another predictions report? (Sigh). Look, we know. But unlike the “AI will change everything!!!” posts clogging your feed right now, this report is built on something slightly more useful: Actual data, actual security practitioners and actual behavioural science. Our new report, the year ahead: human cyber risk in 2026–2027, digs into what cyber teams are really worried about right now: A few highlights: - Nearly half think AI will increase human cyber risk - Only 15.6% say security teams can actually approve or restrict AI tools - Less than 1 in 5 feel “very prepared” for AI-related risks  The big takeaway is that you cannot “awareness train” your way out of AI risk. Anyway, enough doomposting from us. Go read the report 👇 https://lnkd.in/e3D_zfs8

Behave has a new home. Oz Alashe MBE now publishes Unfiltered Signals on his personal LinkedIn – same thinking, new stage. Find out more here 👇

The thing that makes IMPACT different? The people studying human behaviour are finally in the same room as the people managing security risk . That gap — between research and practice — is where a lot of security programmes quietly (or not-so-quietly) fail. Practitioners are moving fast, making decisions with incomplete evidence. Researchers are generating insights that rarely make it out of journals. When they talk to each other (as in, really talk), things shift. Researchers learn what practitioners actually need. Practitioners discover the evidence base for their instincts is stronger than they thought. That's where progress happens -- not in one room or the other, but in both, together. This is why we built IMPACT. And it's also why we'll keep on building it. Why not join us next year?

"Security is everyone's responsibility." We've all said it. But across both IMPACT sessions, the conversation pushed back on what that actually means in practice. Because "everyone's responsible" in practice often means no one's responsible. Who's responsible when an employee clicks a phishing link? Who owns the decision about which systems are hardened, which behaviours are trained, which risks are monitored? These questions don't have clean answers ...and pretending they do (ironically) creates security gaps. The organisations getting this right are mapping who owns what, when, and with what support. How clearly is responsibility mapped in your programme?

When security gets in the way of getting work done, people work around it ...even if that makes them less secure. This came up in the UK IMPACT keynote and in US discussions around insider threat — and it's one of the most important things we keep not saying loudly enough. Resistance to security isn't usually defiance. It's a rational response to bad design. When the secure path is slower, harder, or less obvious than the workaround, most people will take the workaround. Not because they don't care, but because they have a job to do. The insight here isn't "people are the problem," it's that friction is the problem. And friction is something we can actually fix. If your security controls are being worked around, it signals a design fault, not a culture failure. So pay attention. Keep an eye out for our next insight from our IMPACT events tomorrow! 

We're all about sharing the knowledge. Throughout March and April, we brought together researchers, practitioners, and security leaders across two IMPACT sessions — one in the UK, one in the US. Different rooms, different conversations ...but the same themes kept resurfacing. Over the next few days, we're sharing one insight from each — the threads that connected both sides of the Atlantic, and what they mean for anyone working at the intersection of human behaviour and security risk. Because the best thing about a room full of people who care about this stuff is that the thinking doesn't stay in the room. First insight drops tomorrow... keep an eye out 👀