We’re excited to tell you all about Lucy 5.7, packed with new features and usability enhancements

Teams Phishing Attacks (Beta)

Lucy now supports phishing simulations sent as Teams messages. This allows organizations to test employee awareness directly from within their daily communication platform. Simulated attacks can be easily set up and scheduled using the same campaign settings as other simulated attacks.

AI Translation Tool (Beta)

We know our customers and partners use Lucy in a great many countries and run campaigns in very many languages. To give you the ability to easily run attack simulations in multiple languages we have introduced our AI Translation Tool for quick and accurate translation of attacks

Adaptive Phishing (Beta)

This fantastic new feature eliminates the need to manually create and manage each separate attack campaign. Instead, once it is configured, it automatically runs simulations at recurring intervals. Each user is allocated to an attack campaign based on their risk level derived from prior performance. 

AURA (Beta)

This fully automated awareness engine delivers policy -driven security education across your organization.  Select topics, define target audiences  and set courses and awareness-boosters. AURA then automatically assigns training based on each user’s learning record. It manages reminders and provides a rich dashboard of progress and coverage. This initial Beta is only available in English language.

This article explains what human risk management in cybersecurity means, why it matters, and how CISOs can use it to build a stronger, more defensible awareness strategy.

What Is Human Risk Management in Cybersecurity?

Human risk management in cybersecurity is the practice of identifying, measuring, and reducing security risk linked to human behavior.

In simple terms, it means understanding how employees, contractors, and other users may increase cyber risk through actions such as:

• clicking phishing links

• opening malicious attachments

• reusing passwords

• sharing credentials

• approving fraudulent payment requests

• mishandling sensitive information

Traditional awareness programs often focus on course completion. However, human risk management in cybersecurity goes further. It looks at whether people are changing their behavior and whether that change reduces real-world risk.

Therefore, the goal is not just to train users. The goal is to lower the probability that a person will become the entry point for an attack.

Why Human Risk Management in Cybersecurity Matters

Human risk management in cybersecurity matters because many cyber incidents still begin with human action. Attackers know that a user can be easier to manipulate than a well-configured firewall or endpoint control.

That is why phishing, voice fraud, QR code scams, malicious MFA requests, and social engineering remain effective. They target attention, trust, urgency, and routine. Even strong technical controls can fail when an employee is deceived into helping the attacker.

For CISOs, this creates a clear challenge. They must show that awareness activity is not just a compliance box. They must show that it reduces exposure.

A strong human risk management in cybersecurity program helps security leaders:

• identify which users and groups face the highest risk

• measure behavioral weaknesses over time

• target education more accurately

• improve reporting of suspicious messages

• demonstrate progress to leadership and auditors

Because of this, human risk management in cybersecurity gives awareness teams a clearer place in the wider security strategy.

How Human Risk Management in Cybersecurity Differs from Traditional Awareness Training

Many organizations still rely on annual e-learning and a standard phishing test. That approach may satisfy a minimum policy requirement, but it rarely delivers enough depth.

Human risk management in cybersecurity differs from traditional awareness training in several important ways.

Human Risk Management in Cybersecurity Focuses on Behavior

Traditional training often measures attendance or completion. By contrast, human risk management in cybersecurity measures actions and patterns. It asks practical questions:

• Who clicks repeatedly?

• Who reports suspicious emails quickly?

• Which teams show the highest exposure?

• Which users improve after training?

• Which users remain vulnerable?

This shift matters because behavior is what attackers exploit.

Human Risk Management in Cybersecurity Uses Continuous Measurement

A once-a-year course provides only a snapshot. However, human risk management in cybersecurity relies on continuous observation and repeated testing. It uses ongoing simulations, reporting data, and learning interactions to build a more accurate picture of user risk.

Human Risk Management in Cybersecurity Supports Risk-Based Action

Not every employee presents the same level of risk. Senior executives, finance staff, HR teams, and privileged users often face greater exposure. Therefore, human risk management in cybersecurity supports targeted action instead of one-size-fits-all awareness.

That makes the program more efficient and usually more credible with leadership.

This is not about privacy ideology. It is about structural legal exposure. GDPR treats personal data as a fundamental rights issue. The CLOUD Act treats lawful access as a sovereign function. Both systems are coherent. Yet together, they create jurisdictional tension. As a result, hosting decisions have become risk management decisions.

GDPR vs CLOUD Act: A Structural Jurisdictional Conflict

Under GDPR, organisations must assess risk to the rights and freedoms of individuals. That obligation is proactive. It requires accountability, documentation, and justification. Moreover, it demands that organisations consider who can access personal data and under what legal authority.

The CLOUD Act, however, allows U.S. authorities to compel U.S.-based providers to disclose data, regardless of physical storage location. Jurisdiction follows the provider. Therefore, even if data is stored in Europe, it may still fall under U.S. legal reach.

This is not a compliance failure. It is a structural overlap. If a U.S.-headquartered cloud provider processes EU employee data, it may be subject to both GDPR and the CLOUD Act. Consequently, organisations face dual legal exposure.

For CISOs and DPOs, this creates uncertainty. Contracts cannot override sovereign law. Technical safeguards help. Yet jurisdictional authority remains.

Why Data Sovereignty in Security Awareness Now Matters

Security awareness platforms process more than email addresses. They often handle:

• Employee identity data

• Phishing simulation performance

• Behavioural risk scoring

• Training completion records

• Departmental reporting

• Remedial learning histories

While this data may not seem sensitive at first glance, it creates behavioural profiles. Therefore, it can fall squarely within GDPR’s risk-based framework.

If such datasets are hosted under U.S. jurisdiction, organisations must consider potential extraterritorial access. Even lawful access creates exposure. Moreover, notification obligations may differ. As a result, risk allocation becomes unclear.

This is why data sovereignty in security awareness has moved from theory to procurement requirement. Regulated sectors now routinely ask:

• Who owns the hosting entity?

• Under which jurisdiction does it operate?

• Can data be accessed under foreign law?

These questions reflect legal friction, not political positioning.

Why Supply Chain Security for CISOs Cannot Rely on Questionnaires Alone

Most vendor risk programmes rely on annual security questionnaires. At first glance, this appears sufficient. However, questionnaires measure declared controls, not real-world behaviour.

A supplier may claim ISO alignment. Yet one employee clicking a phishing link can bypass every documented safeguard.

Therefore, Supply Chain Security for CISOs must include testing, not just attestations.

Key limitations of traditional vendor assessments:

• Annual cadence does not reflect evolving threats

• Self-declared answers lack behavioural evidence

• No measurement of phishing susceptibility

• No insight into human-layer risk

As a result, CISOs often discover supplier weakness only after an incident.

The Human Layer: The Core Weakness in Supply Chain Security for CISOs

Attackers exploit trust relationships. For example:

• Compromised finance suppliers send fraudulent invoices

• MSP accounts are abused for lateral access

• Procurement impersonation leads to payment diversion

In each case, the technical perimeter remains intact. However, human behaviour fails.

Therefore, Supply Chain Security for CISOs must extend awareness expectations to critical suppliers.

If your employees must complete phishing simulations, why should high-risk suppliers not do the same?

Embedding Awareness into Supply Chain Security for CISOs

Forward-looking CISOs now embed awareness requirements into supplier governance frameworks.

This can include:

• Contractual clauses requiring security awareness training

• Mandatory phishing simulation participation

• Defined remediation for high-risk behaviour

• Tiered oversight based on supplier criticality

Importantly, this approach shifts supply chain security from reactive compliance to proactive resilience.

However, enforcement must be practical. Suppliers may lack mature training platforms. Therefore, scalable enablement is critical.

Why cybersecurity challenges in Central and Eastern Europe are rising in 2026

Several conditions make cybersecurity challenges in Central and Eastern Europe distinct in 2026. First, the region is exposed to a blend of criminal activity and geopolitically motivated disruption. In addition, many organisations combine modern cloud tools with older systems that are harder to patch. Moreover, shared suppliers and outsourced IT create a wider “blast radius” when one provider is compromised.

ENISA’s Threat Landscape continues to highlight social engineering as a major initial access route, while also noting fast exploitation of vulnerabilities and the growing role of AI in attacks.

Cybersecurity challenges in Central and Eastern Europe in 2026: the threat mix

In 2026, cybersecurity challenges in Central and Eastern Europe are defined by convergence. Attackers combine persuasion, identity abuse, and operational disruption rather than relying on a single technique.

1 – Social engineering becomes mobile-first

Phishing still works. However, the chain often starts on mobile: smishing leads to messaging apps, and then escalates to voice calls or payment requests. Consequently, “verify by email” is no longer a safe workflow. ENISA also notes the increasing role of AI-supported phishing activity.

2 – Credential theft fuels repeatable compromise

Stolen credentials, session tokens, and infostealer logs enable fast account takeover. Europol describes this clearly: data and access are traded, reused, and exploited at scale.

3 – Disruption attempts are more visible in CEE

CEE remains a region where disruptive intent is not theoretical. For example, reporting in January 2026 described an attempted destructive attack against Poland’s energy targets linked by researchers to Sandworm, using malware designed to wipe systems.

Cybersecurity challenges in Central and Eastern Europe for healthcare in 2026

For healthcare, cybersecurity challenges in Central and Eastern Europe are amplified by operational urgency. Clinicians and administrators work under time pressure, so attackers focus on workflows that must not slow down.

Common healthcare risks in 2026 include:

• phishing against shared inboxes, referrals, and appointment workflows

• invoice and supplier impersonation tied to procurement

• ransomware combined with data theft and extortion

• credential reuse across clinical systems and SaaS portals

Even when core systems are defended, attackers aim for the human layer. Therefore, healthcare resilience depends on process controls as much as tools.

Employees are constantly mobile. They move between meetings, commuting, travel, home working and flexible schedules. As a result, they often read messages, approve requests and scan QR codes outside the traditional workplace environment.

Consequently, their security mindset changes. When people are busy, distracted or away from the office, their psychological defences drop. Attackers understand this perfectly. Therefore, modern social engineering is designed to intercept people in moments of urgency, distraction and trust.

This reality defines the core security awareness trends for 2026.

Security awareness trends 2026: why attackers are winning on mobile

The most important driver behind security awareness trends 2026 is behavioural, not technical.

People behave differently on mobile devices.

Specifically:

• Responding faster and more instinctively

• Less frequently verifying

• They trust short messages more easily

• And, they operate outside formal security routines

In the office, employees sit at desks, use corporate systems and follow formal workflows. In contrast, on mobile phones, they multitask, skim messages and act quickly.

As a result, attackers design campaigns that:

• Arrive at busy moments

• Create false urgency

• Exploit authority and familiarity

• Bypass email security controls entirely

Therefore, security awareness trends 2026 show that human behaviour on mobile is now the primary attack surface.

Security Awareness Trends 2026 – The work–life blur

Another defining security awareness trend 2026 is context collapse.

Employees now blend work and personal communication across the same devices and apps. WhatsApp, SMS and phone calls are used for both private and professional conversations.

Because of this blending:

• Business requests feel personal

• Personal messages feel professional

• Verification habits weaken

• Social pressure increases

For example, when an employee receives a WhatsApp message that appears to come from their manager, it triggers social obedience and speed, not analytical security thinking.

Similarly, when a QR code is scanned in a public space, it feels routine and harmless, even if it leads to a malicious site.

Therefore, security awareness trends 2026 demand training that reflects how people actually behave, not how policies assume they behave.

Security Awareness Trends 2026 – Messaging apps as attack channels

One of the clearest security awareness trends 2026 is the rise of messaging-app attacks.

WhatsApp, in particular, now plays a central role in business communication across Europe, DACH and SE Asia. It is fast, informal and trusted. Unfortunately, it is also ideal for impersonation.

Common WhatsApp attack patterns now include:

• Executive impersonation

• Fake HR and finance requests

• Account re-linking scams

• Supplier and partner fraud

Because messages arrive on personal phones, employees are often:

• Away from formal verification processes

• Under time pressure

• Outside security monitoring controls

As a result, WhatsApp attacks bypass traditional security tooling and awareness habits.

Consequently, security awareness trends 2026 clearly show that messaging apps must be treated as primary threat vectors, not secondary ones.

Why AI Threats to Employees Are Escalating

AI lowers the barrier for cybercrime. Attackers no longer need advanced technical skills. Instead, they use AI tools to generate content at scale. This includes emails, voice calls, fake websites, and documents.

Moreover, AI improves realism. Messages sound natural. Language errors disappear. Context improves. Consequently, employees struggle to spot warning signs they once relied on.

At the same time, work patterns have changed. Employees work remotely. They use mobile devices. They respond quickly to messages. Because of this, attackers exploit urgency and distraction.

Together, these factors explain why AI threats to employees are increasing across all sectors.

How AI Threats to Employees Appear in Everyday Work

AI-driven attacks often blend into normal workflows. They do not look suspicious at first glance. Instead, they imitate trusted processes.

Common examples include:

• AI-generated phishing emails that match writing style and tone

• Fake login pages cloned from real business services

• Voice calls that impersonate managers or suppliers

• Messages referencing real projects, invoices, or travel plans

Because these attacks feel familiar, employees respond without hesitation. Therefore, awareness training must focus on recognition in context, not just theory.

A shift from rules to readiness

The updated China Cybersecurity Law does not prescribe specific technologies or controls. Instead, it strengthens regulators’ ability to assess whether organisations are actually managing cyber risk effectively.

This matters because enforcement is no longer theoretical. Regulators can impose fines without prior warnings, apply operational sanctions, and hold named individuals accountable. As a result, organisations must be able to demonstrate preparedness at all times.

Broader scope, broader accountability

The China Cybersecurity Law amendments also expand regulatory reach in several important ways.

First, the law explicitly applies where overseas activities affect China’s networks or data environment. This has direct implications for global organisations, SaaS providers, and supply-chain partners.

Second, the law aligns more closely with China’s Personal Information Protection Law and Data Security Law. Consequently, how people handle, access, and expose data now sits firmly within cybersecurity compliance expectations.

Why human risk is now central

Although the amendments avoid explicit training mandates, enforcement trends make one point increasingly clear: human-led failures are now regulatory risks.

Credential misuse, social engineering, poor escalation, and incorrect data handling are no longer treated as unfortunate accidents. Instead, they are viewed as indicators of weak governance and insufficient internal controls.

Therefore, organisations are expected to show that employees can recognise cyber risks, respond appropriately, and follow defined procedures under pressure.

Why Phishing Landing Page Cloning Matters

Attackers rarely build fake sites from scratch. Instead, they clone real login pages from trusted brands, making them almost indistinguishable from the originals. Employees may recognise a generic phishing email, but when the link leads to a familiar-looking page, even cautious users can be tricked.

Thus, by cloning legitimate pages for simulations, Lucy enables companies to mirror genuine phishing tactics. Users see a real-looking landing page, but any credentials they enter are captured only for awareness measurement, not stored or reused. This realism is what makes Lucy’s phishing training so effective.

How Lucy Clones a Real Page Safely

Lucy’s phishing landing page cloning tool copies the look and layout of a genuine website while stripping out any active elements that could cause harm.

1. The admin selects a target URL.

2. Lucy clones the design and adjusts links to ensure everything runs inside the secure simulation environment.

3. A simulated login form is added, allowing users to “submit” details without risk.

All data is handled anonymously, and no real credentials are saved. The goal is insight, not intrusion.

See how it works in practice — watch our YouTube demo video showing phishing landing page cloning step by step.

Why Nonprofit Cybersecurity Awareness Training Matters

Cybercriminals increasingly target organisations that serve the public good. They know nonprofits hold valuable data yet often lack enterprise-grade defences. A single phishing email or stolen password can cause major financial and reputational harm.

Through this partnership, Lucy Security and CyberPeace Builders make cybersecurity awareness for nonprofits accessible to any organisation — regardless of size, location, or budget. By using Lucy’s multilingual awareness platform, volunteer experts can run phishing simulations and interactive training programs at scale, ensuring every team member knows how to recognise and report suspicious activity.

Download the full case study

From Digital Exposure to Digital Empowerment

The M-PESA Foundation Academy in Kenya faced the same challenge as many nonprofits: digitalisation without adequate cybersecurity preparation. Staff and students worked online daily but lacked the knowledge to identify threats.

With support from CyberPeace Builders and Lucy’s phishing simulation for NGOs, the Academy created a culture of vigilance and shared responsibility. In just a few months, phishing click rates fell sharply, and cybersecurity became part of everyday operations.

This example shows how nonprofit cybersecurity awareness training empowers users instead of punishing mistakes — turning uncertainty into confidence.