Consider communicating your top identified qualitative security behavior risks and relate them back to the security policy expectations of staff. What a great opportunity to directly and at scale boost awareness of "the tops" buy in to cutting these risks dramatically.
For God sake, do not present a bunch of stats about phishing and ransomware. The public is just as sick of this as I am and is equally unbothered by the threat your presenting.