What Actually Drives Cybersecurity Behavior Change? According to Real Hoxhunt Data

For years, the default answer to the 'human problem' in cybersecurity was simple: tell people what not to do.

So thats what we did: produced videos, built e-learnings, rolled out annual compliance trainings. We taught the right facts. We explained the risks. We asked people to remember them.

But knowing isn’t doing. And doing isn’t sustaining. If the goal is to actually reduce human risk (e.g. cut down on real-world incidents, shift the cultural default toward secure behavior) we have to move past seeing awareness as the finish line.

Most people already know security matters. Most people know what phishing is. And yet we still see the same mistakes - credentials reused, emails clicked, reports delayed.

This isn’t a knowledge gap. It’s a behavior gap.

To close it, we need a shift in mindset. From education to enablement. From compliance to culture. From telling people what not to do… to helping them want to do the right thing, at the right moment, without friction.

We covered everyhting you need to know about chnaging employee behavior on the All Things Human Risk Management Podcast.

‍

Awareness isn’t the problem anymore

Back in the early 2000s, people didn’t even know what phishing was. There was a time when security awareness training programs were critical just to explain what a virus is or why strong passwords matter.

Today, most employees already know cybersecurity threats are real. They’ve taken training. They understand phishing attacks exist.

Despite decades of training, the percentage of breaches involving the human element hasn't really gone down. This is supported by countless reports. Verizon's latest Data Breach Investigations Report estimates that 60% of data breach incidents are due to human error.

The human element is the biggest risk. And not because people don’t know the rules. It’s because we haven’t changed their habits.

We've done security awareness for a long time. But what we've seen is that it doesn't work - or it has at least a limited impact. Knowledge is not enough. It's not because you know about something that you're going to change your habits.

Behavior isn’t just downstream of information - it’s shaped by environment, incentives, ease, and timing. So if we want to fix the human side of cyber risk, we can’t stop at awareness. We have to do the harder work: helping people build habits. Helping them act, not just know.

‍

Behavior change starts where compliance stops

Let’s be clear: compliance is not the enemy.

Security awareness programs didn’t appear out of thin air. If you want to be in business... you need to check the box. You need to be compliant. Especially in heavily regulated industries.

And that box still matters. Especially if you're in finance, healthcare, or any sector where the cost of non-compliance comes with heavy fines, audits and lost contracts. We’re not here to dismiss it.

But compliance tells you what you must do. It says nothing about whether it worked. Training someone doesn’t mean they’ve changed their behavior. Checking the box doesn’t mean they’re secure.

This is where most traditional programs stall out. They focus on input: did the training go out? Did people click through it?

But cybersecurity behavior change is about outcomes. Did this training actually shift how people act when no one’s watching? When the phish lands? When they’re moving fast?

The gap between knowledge and action is where the risk lives. And bridging that gap is what behavior change is actually about. Not compliance. Not content. Not checklists. Its about habits decisions and measurable shifts in how people act.

‍

Behavior changes when design meets psychology

So what actually drives behavior change? It’s not just more cybersecurity awareness campaigns. It’s not reminding people what “not” to do. And it’s definitely not fear.

At Hoxhunt, we ground our behavior change program in established models from behavioral science - specifically BJ Fogg’s B=MAP model and the COM-B Model. These are well-documented frameworks from applied sciences and behavioral economics that map how human behavior actually shifts in complex environments.

Behavior = Motivation × Ability × Prompt.

If even one of those is missing, the action won’t happen. And in the context of cyber security risks, every missing action compounds.

1. Motivation

This is where most traditional security awareness training starts - and stops. We tell people phishing is bad. That secure practices protect the company. That clicking the wrong link could trigger a security incident.

That’s useful... but incomplete. Motivation alone isn’t enough. You also need to make secure actions rewarding.

In the Hoxhunt platform, reporting a suspicious email isn’t just a security action - it’s a small win. Employees earn stars, badges, and rise on team leaderboards. This light gamification (designed with behavioral nudges in mind) transforms reporting into a repeatable behavior people want to do.

We’ve seen employee behavior shift drastically through these mechanisms. Not from punitive feedback, but from a shared, positive security culture. It turns what used to be a compliance behavior into a source of team pride.

2. Ability

Here’s where most behaviour change interventions collapse: friction. If something’s hard, people won’t do it - especially in the middle of daily operations.

So we remove friction entirely...

• One-click option to report.
• Adaptive difficulty in simulations.
• Personalized journeys calibrated to each user’s skill level.

This is the “zone of proximal development” in action. It's an essential element in behavior design. Too easy? It’s boring. Too hard? It’s punitive. But if you hit that sweet spot, people grow.

By tailoring challenge to competence, we don’t just reinforce secure practices, we actually build the kind of muscle memory that sustains improved security posture over time.

3. Prompt

Motivation and ability are necessary but behavior still won’t happen without a trigger.

That’s what our phishing simulations are: contextual nudges that prompt action in real-world conditions. Not once a year. Frequently. Because behavior is shaped through practice, not policy.

Each simulation is a behavioral rehearsal. Over time, the prompt-response loop strengthens. Reporting becomes instinct. And when the real phishing scam hits the inbox, the decision-making process is automatic - people act, not just intend to.

The simulations themselves are a prompt to report. When we combine motivation, ability, and prompt we see actual, measurable behavior change.

‍

Click rate isn’t the signal. Reporting rate is.

Most security awareness programs are still stuck on click rate. How many people clicked the phishing simulation? Who failed the test? But that’s not just a limited view... it’s a risky one.

Click rate never goes to zero. We've all clicked before. What matters more is if someone reports the threat - that’s behavior change.

If you optimize your program around avoiding every mistake, you’re setting yourself up to fail. There will always be someone who clicks. The question is what happens after.

This is where psychological safety matters. When people feel punished for failure, they don’t speak up. They hide mistakes. They hesitate to report. And in cybersecurity, that delay is dangerous.

Focusing on click rate alone damages psychological safety. People fear they’re being monitored or judged. So when something real happens, they stay silent. That’s not how you build a culture of security awareness. That’s how you build fear.

If you focus on reporting rate, you start measuring not who failed but who acted. Who saw something suspicious and chose to do something about it. Who’s part of the solution. It tells you who’s actually taking action to protect the company. And it’s the metric that keeps improving as people engage.

A strong reporting culture doesn’t just reduce your average cost per incident. It makes your security team faster, your response time tighter, your organization more resilient.

The goal of security awareness programs isn’t perfection. It’s participation. And if we want employees to feel like trusted partners - not potential liabilities - we need to reward action, not punish error.

‍

From awareness to action: What actually deserves a metric

You can’t improve what you don’t measure. But most security awareness programs still track the wrong things. “Completed training” sounds good on a slide deck. But it tells you nothing about whether someone will spot a phishing scam or lock their screen before leaving their laptop.

We’re not just training for the sake of it. We want to actually change behaviors. We want to actually reduce risk.

So what should we be measuring? At Hoxhunt, we use a four-part framework rooted in behavior science and refined through field experience.

1. Awareness (Knowledge)

Start with the basics. Do people know what to do? This is where quizzes and micro-trainings still matter - but only as one piece of the puzzle. They show whether people understand the risks, not whether they’ll act on them.

2. Behavior

This is the critical leap: are people applying what they know? Behavior is whether people report phishing. Whether they create strong passwords. Are they locking their screen when they leave their desk?

Behavior is where knowledge meets decision-making. And it’s where your risk posture actually shifts.

3. Attitude

Do people feel like security is something they own... or something that just happens to them? Do they feel that leadership talks about cybersecurity? That it’s something discussed at the watercooler?

This is your early sign that you're impacting culture. If people feel it’s safe - and even expected - to act securely, you’re on the right track.

4. Engagement

Are people opting in? Not just completing required training, but choosing to participate. Reading the campaign emails. Chatting with security champions. Volunteering for pilot programs.

We want to measure not just knowledge, not just compliance, but voluntary engagement. Because that’s what tells us people are actually invested.

‍

Keeping pace with a threat landscape that doesn’t sit still

One of the biggest gaps in traditional security awareness programs? They train people for last year’s threats.

That’s a dangerous lag. Because phishing doesn’t sit still and in the age of generative AI, it’s evolving at speed. We can't just train people about what was real 10 years ago… what was real back then might be very low risk today.

Our own data backs this up. In an ongoing AI spear phishing agent experiment from 2023 to 2025, AI’s performance vs. humans improved by 55%.

To keep up, your defenses need to be as dynamic as the threats. That’s why, when a real QR phishing campaign hit the wild, we launched a simulation based on it within hours. Over 500,000 users trained on it before most people even knew it was trending.

We have millions of users reporting phishing emails to us - so when a new campaign starts, we see it immediately.

Here’s how it works under the hood: our threat analysts and simulation creators sit on the same team. When they see a new tactic (like the ‘Click-Fix’ malware technique using fake CAPTCHA pages) we replicate it, fast. Sometimes within the day. Every other week we release new training. New simulations. Based on what we see happening in the field.

This isn’t just about speed - it’s about fidelity. If your simulations don’t reflect what attackers are actually doing right now, you’re not preparing people. You’re just checking a box.

At Hoxhunt, we’ve built a system that adapts in real time. You can’t out-phish AI by staying static. But you can build human resilience that learns faster.

‍

Does this approach work? A look at the results

One of the most compelling examples of cybersecurity behavior change comes from AES, a Fortune 500 global energy company.

Facing challenges with traditional security awareness training tools, AES wanted a solution that would effectively engage their workforce and measurably reduce human cyber risk.  By implementing Hoxhunt's behavior-based training platform, AES achieved remarkable results.

• 526% increase in reporting rate: Employee engagement soared, with reporting rates climbing from an average of 11.5% with previous SAT tools to 60.5% using Hoxhunt.​
• 79% decrease in failure rate: The rate at which employees clicked on phishing simulations dropped significantly, from 7.6% to 1.6%.​
• 2533% increase in resilience ratio: AES's resilience ratio - a metric comparing reporting to failure rates - jumped from 1.5 to 38.​

These outcomes underscore the effectiveness of a behavior-focused approach to cybersecurity training.

AES's success story illustrates that with the right tools and approach, organizations can drive meaningful cybersecurity behavior change. This isn’t just an incremental improvement. It’s a radical shift in risk posture.

And we hear it every day:

“Ohhh, you’re the team behind those Hoxhunt emails? They’re so cool. I almost clicked one yesterday - it was really good. I’ve got the leather shield now!”

That kind of response doesn’t come from punishment. It comes from positive behavior reinforcement.

‍

The shift from training to transformation

Whether you call it human risk, security culture, or behavior change, what matters is the same: we’re not here to just train. We’re here to reduce real-world risk.

If we want people to do the right thing, we have to make it easy, make it clear, and make them feel like they’re part of something.

It’s time to evolve from awareness campaigns that just inform to programs that actually transform.

We want to show that our interventions change behavior. That they improve your cybersecurity posture. That they create secure habits at the individual level, and ripple through the organization.

Because cybersecurity behavior change isn’t about scaring people into compliance.

It’s about helping them understand where they fit in - and making it easy to play their part.

‍

From training to transformation

Call it human risk. Call it behavior change. Call it a culture of security awareness.

The name doesn’t matter as much as the mission: we’re not just here to train people. We’re here to reduce risk for real. We’re not just having events to have people come to the event and be happy about it… we want to actually change behaviors. We want to reduce the risk.

That means shifting the role of security awareness programs from knowledge delivery to habit design. If we want people to do the right thing when it matters we have to design for it. Make it easy. Make it obvious. And make it feel like they’re part of something bigger.

Security can’t live in isolation. It has to be embedded in culture. Supported by leaders. Owned by teams. Built into daily operations. Real transformation happens when people understand where they fit in and feel empowered to act.

We’re not just changing individual behaviors. We’re creating habits that ripple across teams. That improve the overall security posture. That make people part of the solution.

So yes, run the campaigns. Share the tips. But don’t stop there. Because if we want to reduce cyber security risks at scale, we have to go beyond informing. We have to transform how people think, how they act, and how they see themselves in the story of cybersecurity.

‍

How Hoxhunt changes behavior to drive real-world impact

At Hoxhunt, our approach to training goes beyond traditional awareness programs by focusing on measurable behavior change.

Personalized, adaptive learning

Hoxhunt employs adaptive learning models that tailor phishing simulations to each user's skill level, ensuring that training remains challenging yet achievable. This personalization keeps users engaged and promotes continuous improvement.

Gamification and instant feedback

Gamification makes training sticky. Through a system of stars, badges, leaderboards, and rewards, Hoxhunt turns threat reporting into a game - one people actually want to play.

Instant feedback on actions helps reinforce positive behaviors and correct mistakes promptly.​

Measurable results

You can train people on phishing, but unless you measure their actions -reporting, clicking, timing - you don’t really know what behavior you’re changing

Data from our Phishing Trends Report indicates significant improvements in user behavior:

• 9x increase in simulated threat reporting: Users became more proactive in identifying and reporting phishing attempts.
• 10x increase in real threat detection: Enhanced training translated to better recognition of actual threats.
• 33% reduction in median dwell time: Faster reporting led to quicker mitigation of potential breaches

These aren’t vanity metrics. They reflect real risk reduction - from fewer clicked phishing links to more rapid detection and mitigation of cyber threats.

Security is no longer a compliance activity. It’s an engagement strategy. And with the right behavioral design, it becomes a team sport.

We don’t want training to live in isolation. It has to be connected to the broader processes - especially the SOC. If someone reports a real phishing attempt, and the SOC acts on it in minutes, that’s how you lower the cost of cybercrime. That’s the real goal.

When we train people well, they don’t just recognize phishing simulations, they also recognize real threats in the wild... that’s the proof that behavior is changing.

‍

_Sources

^{IBM Cost of a Data Breach Report – IBM Security, 2023
Verizon Data Breach Investigations Report (DBIR) – Verizon, 2024
Fogg Behavior Model – Behavior Design Lab, Stanford University
The COM-B Model for Behavior Change – The Decision Lab
ClickFix: The Social Engineering Technique Hackers Use – Group-IB, 2024}