From perception to protection: What Africa’s Chief Information Security Officers (CISOs) don’t know about employees could cost them

The KnowBe4 Africa Human Risk Management Report 2025 reveals mismatches between leadership beliefs and employee reality

JOHANNESBURG, South Africa, August 4, 2025/ — Cybersecurity in Africa is entering a new phase. As organisations mature their defences and invest in security awareness training (SAT), a difficult-to-spot, but critical gap is emerging – not between tools and cyber threats, but between what leaders believe about their employees, and what they actually experience.

The KnowBe4 Africa Human Risk Management Report 2025 (http://apo-opa.co/4fhcmPo) provides a glimpse into this mismatch. The results show that many leaders are overestimating their employees’  preparedness, and underestimating the gaps in trust, training, and action.

Says Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4 Africa, “It’s not just that awareness alone isn’t enough – it’s that the level of employee’s awareness is being misunderstood by the organisational leaders responsible for it..”

The perception gap is growing, but measurable

While 50% of decision-makers in 2025 rate employee cyber threat-reporting confidence at 4 out of 5, in 2024, only 43% of employees said that they  felt confident recognising a threat, while one-third disagreed that their training was sufficient.

68% of decision-makers believe that SAT within their organisations is tailored by role. But only 33% of employees in 2024 felt that to be true – with 16% actively disagreeing.

The implications are serious, because a workforce that appears trained and aware on paper may in fact be uncertain, unsupported, and vulnerable.

“This discrepancy between perception and experience is exactly where human risk thrives,” says Collard. “If leaders don’t correct course, they’re building security strategies on false confidence.”

Why measuring awareness is no longer enough

One of the most frequently cited challenges in the report is deceptively simple: measuring if SAT  works. More than four in ten respondents said that they struggle to track whether their security awareness programmes translate into safer behaviours.

A key contributing factor, identified in the report,  is that many organisations still rely on one-size-fits-all SAT, often delivered only annually or biannually, without role-specific customisation or behavioural feedback loops.

While 68% say they offer role-based training, this claim is undermined by the fact that “lack of role alignment” remains one of the top challenges respondents report. The discrepancy is clearest in sectors like manufacturing and healthcare, where generic SAT is most common.

Size, it seems, also matters. Larger organisations are consistently less confident in employee readiness, train less frequently, and struggle more to measure outcomes..

Collard says: “Awareness without action is like an alarm that no one responds to. Organisations are investing in security awareness training, but without the structure, tailoring, and follow-through to translate that into secure behaviour.”

Beyond BYOD: The new blind spot is AI

One of the most urgent themes to emerge is the rapid rise of “shadow AI” use. With nearly half of all organisations still busy developing formal AI policies, yet up to 80% of employees using personal devices for work, the risk of unmonitored, unsanctioned AI usage is rising fast.

East Africa is leading the way with more proactive AI governance, while Southern Africa, despite topping training frequency, lags behind on AI policy implementation.

“Technology has moved faster than policy,” Collard explains. “And unless AI tools are properly governed, they become as much a risk vector as they are an asset.”

The road ahead: Action, alongside awareness

This report outlines five imperatives for African organisations:

  1. Customise SAT by role and risk exposure.
  2. Track what matters – not just participation, but behavioural outcomes.
  3. Formalise reporting structures employees trust and understand.
  4. Close the AI policy gap before misuse becomes systemic.
  5. Contextualise strategies based on region and sector – because resilience is not one-size-fits-all.

“The human element is often spoken about, but rarely measured in ways that lead to action that acknowledges context. Our goal is to help organisations stop guessing and start structuring their defences around real, contextual insights,”says Collard.

“This is a moment to move from compliance-driven box-ticking to culture-driven resilience. We have the data. Now we need the will.

The full report is now available for download here: http://apo-opa.co/4fhcmPo.