Inadequate cyber threat literacy is now the number one people risk globally. Not burnout, not labour shortages, not mental health.
According to a 2026 report from Marsh and Mercer Marsh Benefits[1] drawing on more than 4,500 HR and risk professionals across 26 markets, the thing most likely to hurt your organisation through its people is a workforce that does not know how to spot a cyber attack.
And if cyber risk is a people risk, the people function needs to be part of the conversation to help solve it.
Why Cyber Risk Is a People Problem
Most cyber incidents do not begin with a technical failure. They begin with a human interaction: a phishing click, stolen credentials, a spoofed request, or a deepfake exploiting trust.
That means the control environment for cyber risk sits, in large part, with the workforce. How employees recognise threats, how they respond to suspicious messages, how they handle access and credentials: these behaviours are the difference between a hack being successful, or reported. The Marsh report calls this out explicitly, urging employers to treat workforce behaviour, training, and culture as first-line cyber controls.
This is not a new insight. The Verizon Data Breach Investigations Report[2] has consistently found that the human element is involved in the vast majority of security breaches year on year. What is new is seeing it framed as a board-level people risk rather than an IT compliance checkbox.
The IT-HR Partnership That Nobody Talks About
Security awareness training typically sits in IT's domain. IT buys it, IT deploys it, IT reports on it. HR, if involved at all, is usually brought in to help communicate it or manage the scheduling headache. And given that both teams are already stretched across their core responsibilities, it is no surprise that the space between them, how employees think and behave around security, rarely gets the attention it deserves.
But the Marsh report points to a different model. HR and risk teams that collaborate fully see meaningfully stronger outcomes across succession planning, reskilling, and risk mitigation, on average 15 percentage points more effective than organisations where those functions operate separately.
The reason is straightforward. IT brings the technical knowledge: what the threats look like, what good coverage requires, what the compliance frameworks require. HR brings the people knowledge: how to design programmes that land, how to build cultures where employees feel safe to ask questions and report mistakes, how to support behaviour change without creating anxiety. Neither function is missing something through any fault of their own. They just have not been asked to solve this one together.
The result, across much of the industry, is security training that was designed to satisfy an audit rather than change a behaviour. It fulfils a requirement, but it does not build the capability the organisation needs.
The Case Against Punish-and-Remind
The most widely used model for security awareness training across the industry works roughly like this: simulate a phishing attack, identify the employees who click, remind them not to do it again. It is the approach most platforms are built around, and for organisations with limited time to think carefully about programme design, it is the default.
The logic makes sense. The outcomes do not. In practice, it often trains employees to avoid embarrassment rather than report incidents quickly.
The principle here is well established across workplace safety research. A study published in January 2026[3], drawing on surveys of more than 4,600 workers, found that interpersonal fear, the perception that speaking up or making a mistake will lead to punishment or humiliation, was one of the strongest predictors of silence. People stop reporting not because they stop noticing problems, but because they stop feeling safe to say anything. The same dynamic applies directly to cyber security. An employee who clicks something suspicious and does not report it because they are worried about the consequences is a greater risk to the organisation than one who clicks and immediately flags it.
Reporting is the behaviour that limits damage. Fear suppresses it.
The consequences of getting this wrong are tangible. Research by Databarracks[4], surveying 500 UK IT and cyber security professionals, found that 37% reported cyber attacks resulted in employee dismissals, spanning IT staff let go in direct response to a breach, and wider layoffs from business disruption. That is a pattern that, if employees are aware of it, makes a culture of open reporting even harder to build.
When someone clicks a phishing link, it is rarely because they are careless. It is because they were not equipped to recognise that particular attack in that particular moment. The attack looked legitimate. It arrived when they were busy. It mimicked a tool they use every day. Building the skill to avoid the next one requires practice and feedback, not a reprimand.
The Marsh report frames this clearly: building cyber resilience means treating it as a skills and culture challenge, not a compliance exercise, with continual education as a core element of people strategy rather than a one-time event.
What an HR-Friendly Approach to Cyber Resilience Actually Looks Like
The security awareness training category has moved on from punish-and-remind, even if many organisations have not.
An approach that works for both IT and HR looks like this:
- Training is continuous rather than annual, because research on memory retention consistently shows that one-off training decays rapidly without reinforcement.
- It is personalised to the individual's role and the tools they use, because a generic simulation that impersonates a platform your team has never heard of teaches pattern recognition for threats that do not apply to them. A finance team member receiving a spoofed payment approval request needs a very different threat model than a warehouse operative receiving a fake HR notification by email.
- It is adaptive, so employees who are doing well are not subjected to unnecessary training volume, and those who need more support receive it without stigma.
- And critically, when someone does interact with a simulation, the response is a brief in-the-moment learning nudge, not a reprimand. The mechanism is skill-building, not consequence.
A growing number of organisations are moving toward this model of behaviour-focused security learning. Pistachio Practice is built on it: continuous, adaptive security learning that treats employees as people developing a capability rather than liabilities to be managed. It delivers personalised phishing simulations that adapt to each employee's role and ongoing training scenarios, with compliance reporting for ISO 27001, NIS2, and Cyber Essentials built in. HR can stand behind it because it is built around behaviour change rather than blame. IT can rely on it because the outcomes, and the audit trail, are real.
A Joint Problem Deserves a Joint Solution
The Marsh report's message for organisations is clear. Cyber risk is a people risk. Managing it effectively requires HR and IT to work from the same playbook, with the same goals.
That means HR needs a seat at the table when security awareness strategy is set. Not to soften the programme, but because building a culture where employees feel safe to recognise and report threats is as important as the training itself.
The organisations that improve fastest are not the ones with the harshest controls. They are the ones where employees recognise threats early, report them quickly, and trust the system enough to speak up. In modern organisations, cyber resilience is no longer just a technical capability. It is a workforce capability.
If you want to see what that looks like in practice, Pistachio Practice is a good place to start.
