Creating a Company Culture for Security: What Actually Works (According to 3M+ Hoxhunt Users)

We’ve all seen the headlines. The human element continues to dominate discussions around cyber risk - and not in a good way. The 2025 Verizon DBIR puts a hard number on it: 60% of breaches still involve human behavior. Despite all the awareness programs, training modules, and compliance requirements, that number has barely moved in years.

But here’s what’s changing: security teams are rethinking the narrative. People aren’t being written off as the weakest link. Instead, they’re being recognized as a critical force in the security posture of the entire organization. When human factors are brought to the forefront of a security strategy, it opens up a different kind of conversation - one rooted not in policy enforcement, but in behavior change.

This shift isn’t about tightening controls or adding more policies. It’s about shaping a security-first company culture where strong security habits are part of business operations, not bolted on after the fact.

It’s about embedding security into daily routines, decision-making, and the broader company culture, so secure behaviors become as instinctive as locking your laptop.

Below is a deep dive into how security leaders are building strong cybersecurity cultures. Not through awareness alone, but through targeted behavior change interventions. We’ll look at the building blocks that make a measurable difference.

We went in-depth on measuring and changing employee behavior on the All Things Human Risk Management Podcast.

‍

Knowledge isn't enough: the BMAP model

Knowing something doesn’t always mean acting on it. Most people understand cyber threats and recognize the need for secure behaviors - yet risky behaviours persist.

This isn’t due to a lack of information. The real gap lies between knowing and doing. I know broccoli is good for me, but that doesn’t mean I eat it daily. Awareness doesn’t automatically change habits.

This is where behavioural science becomes essential. Models in cybersecurity behavior (like the BMAP framework) help us move beyond traditional training approaches:

• Motivation: Hoxhunt uses gamification (stars, badges, leaderboards) to make security training rewarding.
• Ability: Personalized difficulty levels and a one-click reporting button ensure actions are easy to complete.
• Prompt: We prompt employees regularly through engaging, timely phishing simulations that serve as reminders to act.

Traditional security awareness training often targets knowledge only. But a truly effective behaviour change intervention strategy must include attitudes and behaviors too. This broader behaviour focus aligns with essential elements like threat appraisal, target behaviour clarity, and adaptive decision-making processes.

Comprehensive training, reinforced frequently and integrated with daily workflows, is the key to improving security posture.

Motivation is what we resort to instinctively when trying to influence behaviors. But it's just one tool in the toolbox. The issue with motivation is that it fluctuates, it goes up and down constantly, and so targeting it alone is not sufficient.... we also need to make security easy and reduce frictions. This brings the best results.

Hoxhunts train people in their ‘zone of proximal development’ so they’re always challenged but never overwhelmed. By continuously refining this balance, we've seen tremendous improvement in employee participation and secure behaviors.

‍

Why security culture matters (and why most programs miss the mark)

Culture isn’t what gets printed on a mug. It’s how people make security decisions when no one’s looking.

A strong security culture aligns three key elements:

• Knowledge: Are security policies understood?
• Attitudes: Do people internalize the importance of secure behavior?
• Behaviors: Are secure behaviors consistently observed?

Most security awareness programs stall at the knowledge phase. They educate, but don’t enable.

As Dr. Jessica Barker notes, "When you lead with fear, people disengage. Empowerment drives change."

Effective training programs move beyond compliance behavior. They prepare employees for Social engineering attacks, reinforcing secure actions through frequent practice and behavioural science.

When teams outside of security start realizing there are security elements they can influence, that’s when the culture truly shifts. That’s how organizations scale human risk management.

Not by enforcement. Not by fear. But by creating a security-aware culture where every employee sees themselves as part of the security team.

Without psychological safety, real threats go unreported. Human error rises when fear eclipses empowerment. Building a culture of security awareness means designing security awareness campaigns that foster trust.

‍

The four pillars of a measurable security culture

To embed a culture of security awareness that actually drives behavior change, you need metrics that reflect more than surface-level engagement. A behaviour change program needs to be evaluated through multiple dimensions...

Here are the four essential elements:

• Awareness (Knowledge): Are employees familiar with key threats and expected actions? Quiz results, onboarding process completions, and security awareness training modules help answer this - but they’re only the starting point. Knowledge-based errors can persist if not paired with practical application.
• Behavior: Are secure behaviors becoming habits? Look at real-world actions—like phishing simulation reporting rates, password security audits, and browser1Internet security software1Anti-malware software1Internet usage. These are data-driven insights into whether intention behavior is translating into consistent cyber behavior.
• Attitudes: Do people believe security is a shared responsibility? Survey data and team-level signals such as peer accountability or informal feedback during cybersecurity training give insight into how the organizational culture is evolving. This is where environmental factors and social norms influence the decision-making process.
• Engagement: Are people participating voluntarily? Track attendance at security awareness campaigns, leaderboard rankings, and employee feedback. These indicators show where behavioural nudges and communication strategies are resonating.

Effective training programs don’t stop at knowledge checks. To reduce cyber security risks and build a strong security culture, you must evaluate how behavior and attitudes shift over time. That’s where real transformation and risk reduction takes place.

‍

How to create a security culture in your organization

Step 1: Leadership sets the tone

Leadership team commitment is non-negotiable...

Security culture doesn’t emerge from just the IT department. Leadership must model the behaviors they wish to see. This includes backing security training, praising security actions, and fostering psychological safety - where reporting errors doesn’t result in punishment but learning.

Building trust is essential for reducing decision-based errors and risky behaviors... this is why security should never be perceived as punitive. Psychological safety is a core component of security culture and when employees fear repercussions, reporting decreases and hidden issues increase. If people don’t feel safe reporting, they avoid it - or worse, hide it. That’s when things spiral.

Leaders must model secure behaviors, prioritize transparency, and foster this psychological safety to show that security isn't just an IT issue; it's everyone's responsibility. Security shouldn’t just be a topic in the IT team’s weekly sync. It should be part of the language used by the CEO, board, and business unit leaders.

At Hoxhunt, we tend to see that organizations with strong leadership buy-in experience quicker adoption and higher retention of security practices. Having dedicated advocates within teams who can relay feedback, concerns, and best practices can dramatically improve overall security posture and culture.

Step 2: Make security human and approachable

Focus on shifting attitudes first. Back when I was Head of Security Culture & Competence at H&M, I took a bold risk with our first security campaign...

I replaced traditional corporate imagery with vibrant, colorful backgrounds, playful visuals of animals in unicorn costumes, and positive taglines. The unicorn pug became our mascot, and employees loved it. It worked.

Security became approachable, even enjoyable and people started to think, "Security is trying something different. They seem approachable now!"

This change in perception was a game-changer. By humanizing security, we transformed perceptions, improved collaboration, and saw a significant increase in proactive security behaviors.

Employees tend to connect more deeply with relatable stories rather than abstract concepts. So, use real-life incidents, anonymized if necessary, as powerful teaching moments in regular training sessions - sometimes you have to be bold and unconventional in security awareness!

Step 3: Measure real behavior change

It’s not enough to just count who opens an email. Instead, measure employee behavior: how many report phishing simulations, how password security improves over time, and how secure behaviors are normalized in daily operations.

We've seen reporting rates for phishing simulations improve by 7x through targeted training and positive reinforcement. Metrics like phishing simulation reporting, password hygiene, and security survey results tell the real story.

At Hoxhunt, we don't just train to train - we train to reduce cyber risk. People who were trained with Hoxhunt were 6x less likely to click and 7x more likely to report threats.

Step 4: Make participation easy

Simplify the experience. If reporting a phishing scam takes more than a click, it won’t happen. Behavioral nudges only work when paired with high usability. Even the best tools won’t help reduce security breaches if they're not intuitive and easy to use.

Friction kills engagement. Motivation matters.. but so does accessibility. One-click reporting buttons and micro-learning modules integrated into daily workflows drastically improve participation and effectiveness.

And the same goes for simulation difficulty. You probably don't want to teach everyone about the most advanced attacks right away, you need to start with the basics and build from there.

Step 5: Brand your security culture

Security measures should have a recognizable identity. Whether it’s a mascot or a tagline, branding improves recall and engagement. Behaviour change challenges become easier to tackle when programs have emotional appeal and clear value propositions. Cultural branding helps normalize cyber security awareness within the organizational culture.

The end goal is about making security something people want to be associated with - so how can you make your program memorable and enjoyable?

Branding your security culture is about making security positive, engaging, and relevant. Positive means making things a little bit fun, a little bit different, to stand out from the crowd.

Break the mold and surprise your employees to capture their attention. People can spot empty corporate speak a mile away. Meet people where they are and make your message genuine and meaningful.

A strong and approachable brand around your security program not only boosts employee engagement but also creates internal advocates who willingly champion security practices.

Step 6: Listen to employees

To effectively enhance security culture, start by listening.

Put yourself in the employee shoes and try to understand their challenges. Use surveys and focus groups to uncover resistance points. Behavioral insights often surface when you create safe spaces for feedback. Understanding how people navigate computing systems, security policies, and default option settings reveals key behavioural insights into risky behaviours.

Employees aren't ignoring security initiatives intentionally; they often have valid reasons or obstacles. Listening instead of talking first can make a profound difference in driving culture change.

Listening actively to employees helps identify potential vulnerabilities that might otherwise go unnoticed and make sure you're creating opportunities for employees to give feedback on security initiatives regularly.

Step 7: Provide constructive feedback

Reward secure behaviors. Whether it’s public praise or a spot on the leaderboard, reinforcing positive behavior builds momentum. Recognizing daily decisions made correctly is a proven method for reinforcing intention behavior and reducing broader behaviour risks.

At Hoxhunt, employees receive instant feedback every time they report a suspicious email. This feedback reinforces positive behaviors, making employees more likely to repeat them. For real threats, employees are promptly thanked, reinforcing the critical role they play in organizational security.

Immediate feedback creates a positive reinforcement loop, motivating employees to repeat secure behaviors and continuously improve their security habits. Simple praise and acknowledgment help build a positive security experience and motivate employees to keep participating proactively.

‍

‍

Need to make the business case? Here's the impact of building a strong cyber security culture

• According to the 2021 Cybersecurity Culture Study, organizations with a strong cybersecurity culture are x5.5 more likely to have well-defined security policies and procedures in place.
• Research from the Aberdeen Group reveals that companies with a strong security culture experience 50% higher employee awareness of security risks compared to those with a weak culture.
• A study by the Institute of Information Security Professionals (IISP) found that organizations with a strong cybersecurity culture are 70% more likely to meet compliance requirements for data protection regulations.
• Data from the Cybersecurity Culture Assessment Survey conducted by SecurityScorecard shows that companies with a strong cybersecurity culture are 3 times more likely to have executive support for cybersecurity initiatives.
• Our own Phishing Trends Report found that when training is based on changing behavior, you can build a strong security culture that actually reduces risk. Employees can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing incidents per organization by 86%.

‍

Moving from behavior change to culture change

Security culture isn't built by security teams alone - it's shaped by how employees perceive those teams.

Security culture isn't built by security teams alone - it's shaped by how employees perceive those teams. Historically, security was seen as "the department of 'No,'" creating barriers rather than partnerships.

People need to see security as approachable and helpful, not punitive. At Hoxhunt, we've deliberately shifted that narrative through an adaptive and security-first company culture. We've built a culture of positive reinforcement rather than punishment.

For instance, when someone leaves their laptop unlocked at Hoxhunt HQ, colleagues can playfully leave a message to the team stating "hacked," not as punishment, but as a friendly, educational reminder.

These small, positive interactions - rather than strict security protocols that feel punitive - help integrate security seamlessly into daily routines. Micro-moments create broader cultural buy-in and remove any fear of reprisal, encouraging a proactive and security-conscious environment.

We've traditionally pushed security concerns onto employees based on what security leaders prioritize. But it's far more powerful if we understand what employees genuinely care about and align our communication accordingly.

Building a robust security culture requires a collective mindset, where everyone, regardless of their role, feels personally invested. Encouraging this personal investment is key to cultivating a genuinely resilient and adaptive security-first mindset across the entire organization.

"The best thing is when individuals have a personal investment in maintaining the actual security culture - even if it’s not their job title." - Dominick Frazier (Security Behavior & Thought Leader)

‍

Staying ahead of emerging threats

Cybersecurity threat trends don’t wait for quarterly reviews. Cyber attacks evolve rapidly, and so must security awareness training.

At Hoxhunt, we roll out phishing simulations every two weeks informed by real cyber threats spotted in our 3M+ user network. When a new phishing scam or attack type emerges - whether it’s deepfake voice calls or QR-based social engineering techniques - we simulate it immediately.

Right now AI is raising the bar - and the stakes - for cybersecurity education. What was once a human-dominated domain might not be for much longer.

AI agents developed by the team here at Hoxhunt created more effective simulated phishing campaigns against millions of global users than our elite human red teams could.

• In 2023, AI was 31% less effective than humans
• In Nov. 2024, AI was 10% less effective than humans
• But in March 2025, AI was 24% more effective than humans

If you’re not adapting your content based on actual security threats, you’re preparing for yesterday’s problems.

But AI can also bolster defense. With behavioural insights and data-driven feedback, we now personalize employeerisk training at scale. We can adjust difficulty and adapt delivery to each user’s role, location and language.

When it comes to defending against these attacks, old-school advice won’t cut it. We need to move on from tactics like checking grammar and teach people to recognize how messages make them feel. If it’s urgent, emotional, unexpected - and asking for action - then verify.

AI may be used to enhance cyber attacks... but it can also be used to prevent them. How do you meet people where they’re at - at scale? Well, AI allows us to personalize training and communication across thousands of employees with the right context.

With behavioural insights and data-driven feedback, we now personalize cybersecurity training across organizations, adjusting the difficulty and adapting delivery to each user’s role, location and language.

‍

Key takeaways

• Ensure senior leadership commitment and buy-in as a strategic priority.
• Make sure you have ongoing, interactive training programs and phishing simulations tailored to the evolving security landscape.
• Build a robust security culture through regular, constructive feedback and recognition of positive security actions, avoiding punitive approaches.
• Use adaptive and engaging security platforms to ensure employee education actually sticks and translates into behavior change.
• Continuously monitor and audit your organization's security culture through metrics that measure actual behaviors, attitudes, and security-conscious actions.
• Promote a proactive, security-first mindset and collective responsibility throughout the entire organization, ensuring every employee feels personally invested in maintaining a secure environment.

Building a robust security culture isn't quick or easy - but it's achievable. Don't force people; inspire them. Don’t punish; reward. Don’t frustrate; simplify.

By combining behavioral science with empathy and creativity, you'll create not just compliance, but cybersecurity champions. Ultimately, we want employees to feel they’re part of the solution... because they genuinely are.

‍

Reduce risky behaviors and build a real security culture with Hoxhunt

Traditional awareness training tends to be boring, doesn't stick and most of the time, people just click through it.

At Hoxhunt, we realized that if we genuinely want people to change their behaviors, we needed to rethink the entire approach. So, we built Hoxhunt's security awareness training specifically to coach away risky behaviors through personalized, engaging experiences.

No generic slideshows or passive modules - every employee gets their own tailored learning path, complete with realistic phishing simulations and interactive micro-learning.

Many organizations with legacy SAT models struggle to get engagement above 10%, and they have limited visibility into whether their teams can truly spot and report potential threats.

With Hoxhunt, companies don't just see a slight uptick - they see a transformation. Engagement rates skyrocket to over 90%, failure rates plummet, and threat detection rates climb steadily, creating sustainable resilience across the entire organization.

Overall organizations training employees using Hoxhunt tend to see:

• 20x lower failure rates
• 90%+ engagement rates
• 75%+ detect rates

How do we achieve these outcomes?

Personalized simulations at scale

We deliver phishing simulations across email, Slack, or Teams using AI to mimic the latest, real-world attacks. Simulations are personalized to each employee based on department, location, and more, while instant micro-trainings solidify understanding and drive lasting safe behaviors.

Ensure compliance and maximize engagement with gamified training

Trigger interactive, bite-sized security awareness trainings that boost completion rates and coach away risky behaviors. Hoxhunt allows you to select from a library of customizable training packages, or generate your own with AI to meet the needs of your business.

Build a measurable security culture

Motivate employee participation with positive, reward-based incentives and instantly trigger relevant training when an employee takes a risky action, like sharing sensitive company data or using a USB stick.

Hoxhunt will give you real-time behavioral data reveals insights into risky employee behaviors to help you identify where to focus your training efforts whilst minimizing employee disruption.

‍

Creating a company culture for security FAQ

How do you start changing a negative perception of security within an organization?

First you need to understand why people feel that way. Employees usually have valid reasons for acting they way they do. Create focus groups or informal chats with genuine empathy and humility to uncover these reasons.

Should security training be incremental or rolled out as a major, company-wide relaunch?

There is no right answer here, a big launch will creating noticeable excitement and clearly signalling change. However, gradual implementations can also work, depending on your organizational context.

What role does leadership play in driving culture change?

Leadership is extremely important. The actions and words of senior leaders significantly shape the culture of the company. Their support accelerates the adoption of secure practices across the entire organization.

How do you handle employees who resist or ignore security protocols?

Always start by listening. Put yourself in their shoes to truly understand their perspective. Often there are underlying issues - address these directly and constructively. Avoid punishment; use positive reinforcement instead.

What are the first signs of a successful shift in cybersecurity culture?

You’ll quickly see increased reporting rates of suspicious emails and reduced click rates on phishing simulations. But the most telling sign is when employees start actively discussing security positively and proudly within your organization.

‍

_Sources

^{Seven Reasons Why Your Company's Security Training Isn't Working – Forbes Tech Council
‍Research from Aberdeen Group and Wombat Security – Yahoo Finance
‍ISC² 2021 Cybersecurity Workforce Study – IAPP
‍Gartner Unveils Top Eight Cybersecurity Predictions for 2024 – Gartner
‍State of Cybersecurity 2021 Infographic – ISACA
‍The Role of Human Error in Successful Cybersecurity Breaches – Keepnet Labs}