Cyber-attacks are an increasingly significant safety and risk issue for companies of any size and many organizations have already been attacked. Preparing for such an event is imperative for every organization – besides up-to-date technological infrastructure, employee awareness, and alert online behavior are critical components of any defense mechanism. Although the importance of and urgency for employee preparedness and the role of cyber-risk communication in that process have been stressed in academic papers and business practice, there remains a dire need for empirical research. The project investigates the hidden mental models driving employee behavior by applying structured brainstorming to distill common themes and define communication goals. The themes are the foundation for a novel diagnostic tool to evaluate the risk internalization maturity. The diagnosis is compared with the effective risk behavior in smulated cyber attacks settings. The insights are also translated into instructional risk messages and actions. Finally, effective risk communication strategies are defined an tested in an experimental settings. The project employes multimethod approach. Deep methapher interviews are combinded with breainstorming sessions, multiple quantitative surveys and experiments. In close collaboration with and in real time the research team conducts action research in corporate environments.