The fifth annual Oh, Behave! report from the National Cybersecurity Alliance (NCA) and CybSafe lands with a clear message: people remain the riskiest—and most complex—variable in cybersecurity. Surveying 7,000 participants across seven countries, the 2025–2026 edition provides a global snapshot of how attitudes, behaviors, and misconceptions shape security outcomes.
For CISOs and security teams, the findings (report is downloadable) underscore both persistent challenges and new opportunities for building a human-centric defense model.
AI usage has surged dramatically, with 65% of respondents now using AI tools, compared to far fewer just a year earlier. Among younger workers, adoption is near universal: 89% of Gen Z and 79% of Millennials report using AI. But training lags far behind; 52% of employed participants say they’ve never received any guidance on AI security risks.
This has fueled the rise of "shadow AI," with 43% of workers admitting to sharing sensitive work data with unsanctioned AI tools, a risky behavior especially common among younger employees.
Security teams must assume that corporate data is already flowing into unmanaged AI systems—and respond with governance, awareness training, and monitoring.
One of the most striking findings is the widening disconnect between knowledge and behavior. Nearly half (48%) of respondents feel confident they can identify phishing, AI-generated content, or scam websites, yet far fewer take consistent protective actions. Only 45% say they regularly check or report suspicious messages, and MFA adoption remains inconsistent, especially among younger demographics (just 17% of Gen Z use MFA regularly, compared to 49% of Baby Boomers).
This "Ctrl+Alt+Delusional" effect illustrates the cultural challenge security leaders face: awareness does not equal protection.
Cybercrime victimization is rising steeply, with 44% of participants reporting personal loss of money or data in 2025, a 9% increase over the previous year. Phishing remains the top threat (29%), followed by identity theft (22%) and online dating scams (21%). For the first time, deepfake scam calls were tracked, with more than a third (34%) of respondents reporting they had been targeted.
Emotional fallout is significant: 51% of victims reported stress, 49% anger, and 42% anxiety. While 91% of victims reported incidents to some authority (often banks first), underreporting persists due to shame or uncertainty.
Encouragingly, 69% of respondents say their organizations prioritize cybersecurity, and 70% believe senior leaders are focused on risk reduction. However, nearly half (49%) identified colleagues as their organization's biggest IT threat—through negligence or malice.
Perceptions of responsibility are also shifting. While 58% of individuals still see themselves as the primary guardians of their personal information, workplace security is increasingly viewed as the IT or security department's responsibility (45% and 40%, respectively). A small but growing share also point to government as having responsibility, suggesting rising expectations for systemic defense.
Access to cybersecurity training remains uneven. Just 32% of respondents said they had access to end-user training, with participation lowest in industries like retail and hospitality. Even when training occurs, its impact is limited: while 83% found it useful, fewer than half reported changing behavior as a result—only 42% started using MFA, and 40% adopted stronger passwords.
Video remains the most popular training format, but the report suggests the bigger challenge is moving from "awareness" to action.
India leads in AI adoption (87%) but also in risky behaviors, with 55% of employees admitting to sharing sensitive information with AI tools.
Germany reports the lowest levels of confidence in personal control over security, with a majority (55%) feeling security is not under their control.
The U.S. leads in password manager adoption (50%), though trust gaps remain high.
Mexico and Brazil show high optimism about security but also high confusion and intimidation, reflecting cultural divides in security culture.
The Oh, Behave! report makes it clear that while technology is advancing, human behavior is regressing in some critical areas. For cybersecurity leaders and practitioners, the key takeaways are:
Address Shadow AI head-on with policies, approved tools, and awareness campaigns.
Close the knowing–doing gap by embedding security into workflows rather than relying solely on training.
Acknowledge cultural and generational differences in security attitudes when designing interventions.
Support "go-to defenders." Younger employees often serve as informal cyber support for family and colleagues and need targeted guidance.
Focus on psychological barriers, such as privacy fatalism and feelings of helplessness, not just technical knowledge gaps.
As Oz Alashe, CEO of CybSafe, and Lisa Plaggemier, Executive Director of NCA, note in the report: "Human behavior is still the risk frontier."
Bridging that frontier will require empathy, cultural awareness, and continuous adaptation—not just more tools.
Here's a breakdown of top stats and findings from the Oh, Behave! 2025–2026 report:
65% of respondents now use AI tools; adoption is near universal for Gen Z (89%) and Millennials (79%).
52% of employed participants have received no training or guidance on AI security risks.
43% admitted to sharing sensitive work data with unsanctioned AI tools ("shadow AI").
48% feel confident identifying phishing, scams, or AI-generated content, but only 45% regularly act (e.g., reporting suspicious messages).
MFA usage is lowest among younger demographics: only 17% of Gen Z use MFA regularly compared to 49% of Baby Boomers.
44% of participants reported being a victim of cybercrime in 2025 (a 9% increase over last year).
Phishing (29%), identity theft (22%), and online dating scams (21%) are the most common attacks.
34% reported being targeted by deepfake scam calls—a first-time tracked category.
49% identified colleagues as the biggest IT threat within their organizations.
Only 32% had access to and used cybersecurity training; fewer than half changed behavior afterward (42% began using MFA, 40% adopted stronger passwords).
India leads in AI adoption (87%), while Germany shows the highest percentage of people feeling security is "out of their control" (55%).
U.S. respondents lead in password manager adoption (50%) but also report significant trust gaps.