What Actually Drives Cybersecurity Behavior Change? According to Real Hoxhunt Data

‍

For years, the answer to human-related cybersecurity risks has been “awareness training.”

We created content, launched e-learning modules, and asked employees to remember best practices.

But the truth is: knowing isn’t doing.

I know broccoli is good for me.

But do I eat broccoli every day? Not really.

If we want to reduce human risk, prevent cybersecurity incidents, and build a strong security culture, we need to move beyond awareness.

We need to focus on cybersecurity behavior change - and that means rethinking how we train, communicate, and support secure decisions across the organization.

‍

Awareness isn’t the problem anymore...

Back in the early 2000s, people didn’t even know what phishing was.

There was a time when security awareness training programs were critical just to explain what a virus is or why strong passwords matter.

Today, most employees already know cybersecurity threats are real.

They’ve taken training. They understand phishing attacks exist.

And yet…

Despite decades of training, the percentage of breaches involving the human element hasn't gone down.

This is supported by countless reports. Verizon's latest Data Breach Investigations Report estimates that 60% of data breach incidents are due to human error.

The human element is the weak link. And not because people don’t know the rules. It’s because we haven’t changed their habits.

‍

Behavior change means going beyond compliance

Security awareness came from a need for education and compliance.

We needed to give people foundational knowledge.

And we needed to check a box.

Compliance still matters - especially in heavily regulated industries like finance or healthcare.

If you want to be in business, you need to be compliant.

You need to meet frameworks. You need to prove to regulators that you've conducted training.

But checking a box doesn’t mean your people will behave securely. That’s the difference.

Cybersecurity behavior change is about closing the gap between knowledge and action.

And that’s where most traditional security training falls short.

‍

Behavior happens when design meets psychology

So what does actually change behavior?

We use behavior change models from behavioral science - specifically BJ Fogg’s B=MAP model and the COM-B Model - as the foundation of our approach at Hoxhunt.

Behavior happens when three things come together: Motivation, Ability, and a Prompt.

Let’s look at this through the lens of phishing.

1. Motivation

Motivation is the most instinctive of the three elements.

We tell people why it's important - 'good things will happen if you do it, bad things if you don’t.'

But motivation alone is not enough.

You have to make secure actions rewarding.

Every time someone reports a suspicious email in Hoxhunt, they get stars, badges and can see their scores on a org-wide leaderboard.

We’ve seen how this kind of friendly competition turns a boring task into something people want to do.

2. Ability

It must be easy to act securely.

That's why we make it a one-click option - and we adapt simulations to each employee’s level so they’re not too hard or too easy.

That’s key to building habits.

We personalize the learning journey for every employee. That’s how we keep them appropriately challenged.

This is rooted in what we call the 'zone of proximal development' - the sweet spot between challenge and skill.

3. Prompt

People need a trigger to act.

Our phishing simulations are the behavioral prompt.

They train the reflex to stop, think, and report.

So when the real thing happens, the instinct is there.

This combination - gamification, simplicity, and behavioral nudges - is what drives measurable behavior change at scale.

‍

Why reporting matters more than clicking

Most security awareness programs focus on click rate - how many people fail a phishing test.

But that’s not the full picture.

Click rate never goes to zero. Even I’ve clicked before. What matters more is if someone reports the threat - that’s behavior change.

Focusing too much on failure also kills psychological safety.

If people feel punished for failing, they’ll hide their mistakes.

And if someone clicks on a real phishing link, that delay in reporting can be the difference between a near miss and a breach.

By contrast, a strong reporting culture means threats are caught faster, and cybersecurity issues are surfaced before they spread.

When we measure report rate, we have a better picture of who’s part of the solution. That’s how we build a human firewall.

‍

Culture change starts with trust

Security used to be the department of no.

Or worse - Big Brother.

People didn’t feel safe asking questions or reporting issues.

This isn’t just bad for morale - it’s bad for response times.

Psychological safety doesn't just mean being soft... it’s a key factor in early breach detection. People report faster when they’re not afraid.

We’ve seen companies flip the script by making security approachable.

Some real-life examples:

• One team created a culture where if you left your laptop unlocked, you owed the team pain au chocolat.
• A global retailer launched security mascot - a raccoon for data privacy and a unicorn pug for phishing - to lighten the mood.
• At Hoxhunt, employees talk about simulations over coffee like they’re sharing a joke.

That’s the difference between a cybersecurity strategy people tolerate and one they champion.

‍

From awareness to action: what to measure

You can’t improve what you don’t measure.

And ‘completed training’ doesn’t tell you anything about secure behavior.

We recommend measuring four key areas:

1. Awareness – Do people know what to do? (Quizzes, micro-training performance)
2. Behavior – Are they doing it? (Phishing reporting, password habits, locking screens)
3. Attitude – Do they feel like they’re part of the solution? (Surveys, peer-to-peer support, engagement with champions)
4. Engagement – Are they opting in, not just checking out? (Participation in campaigns, voluntary learning)

When we combine these, we can actually show that we’re reducing human cyber risk - not just ticking off a box.

‍

Keeping pace with a changing threat landscape

One challenge with traditional security awareness training tools is they teach to yesterday’s threats.

But phishing evolves. Fast. Especially with AI.

Our research found that AI agents can now out-phish elite human red teams, at scale.

In an ongoing AI Spear Phishing Agent experiment from 2023 to 2025, AI’s performance vs. humans improved by 55%.

Staying ahead of new threats is vital.

We once rolled out a new simulation to 500,000 users within hours of seeing a real QR phishing campaign hit the wild.

Because we’re connected to real-time user reports across a wide range of industries, we can respond fast.

At Hoxhunt, our simulation team sits right next to our threat analysts.

If they see a new type of cyber attack, we replicate it within hours - like the Click-Fix malware technique using fake CAPTCHA pages.

That’s what makes Hoxhunt dynamic.

And that’s what it takes to prepare for forms of cybercrime that change overnight.

‍

Does this approach work? A look at the results

One of the most compelling examples of cybersecurity behavior change comes from AES, a Fortune 500 global energy company.

Facing challenges with traditional security awareness training tools, AES wanted a solution that would effectively engage their workforce and measurably reduce human cyber risk.

By implementing Hoxhunt's behavior-based training platform, AES achieved remarkable results.

• 526% increase in reporting rate: Employee engagement soared, with reporting rates climbing from an average of 11.5% with previous SAT tools to 60.5% using Hoxhunt.​
• 79% decrease in failure rate: The rate at which employees clicked on phishing simulations dropped significantly, from 7.6% to 1.6%.​
• 2533% increase in resilience ratio: AES's resilience ratio - a metric comparing reporting to failure rates - jumped from 1.5 to 38.​

These outcomes underscore the effectiveness of a behavior-focused approach to cybersecurity training.

AES's success story illustrates that with the right tools and approach, organizations can drive meaningful cybersecurity behavior change.

This isn’t just an incremental improvement. It’s a radical shift in risk posture.

And we hear it every day:

“Ohhh, you’re the team behind those Hoxhunt emails? They’re so cool. I almost clicked one yesterday - it was really good. I’ve got the leather shield now!”

That kind of response doesn’t come from punishment. It comes from positive behavior reinforcement.

‍

The shift from training to transformation

Whether you call it human risk, security culture, or behavior change, what matters is the same: we’re not here to just train. We’re here to reduce real-world risk.

If we want people to do the right thing, we have to make it easy, make it clear, and make them feel like they’re part of something.

It’s time to evolve from awareness campaigns that just inform to programs that actually transform.

We want to show that our interventions change behavior. That they improve your cybersecurity posture. That they create secure habits at the individual level, and ripple through the organization.

Because cybersecurity behavior change isn’t about scaring people into compliance.

It’s about helping them understand where they fit in - and making it easy to play their part.

‍

How Hoxhunt measurbaly changes employee behavior

At Hoxhunt, our approach to phishing training goes beyond traditional awareness programs by focusing on measurable behavior change.

Personalized, adaptive learning

Hoxhunt employs adaptive learning models that tailor phishing simulations to each user's skill level, ensuring that training remains challenging yet achievable.

This personalization keeps users engaged and promotes continuous improvement.

Gamification and instant feedback

Gamification makes training sticky.

Through a system of stars, badges, leaderboards, and rewards, Hoxhunt turns threat reporting into a game - one people actually want to play.

Instant feedback on actions helps reinforce positive behaviors and correct mistakes promptly.​

Measurable results

You can train people on phishing, but unless you measure their actions -reporting, clicking, timing - you don’t really know what behavior you’re changing

Data from our Phishing Trends Report indicates significant improvements in user behavior:

• 9x increase in simulated threat reporting: Users became more proactive in identifying and reporting phishing attempts.
• 10x increase in real threat detection: Enhanced training translated to better recognition of actual threats.
• 33% reduction in median dwell time: Faster reporting led to quicker mitigation of potential breaches

These aren’t vanity metrics. They reflect real risk reduction - from fewer clicked phishing links to more rapid detection and mitigation of cyber threats.

We're not just training to train. We're training to reduce the risk.

Security is no longer a compliance activity. It’s an engagement strategy.

And with the right behavioral design, it becomes a team sport.

We don’t want training to live in isolation. It has to be connected to the broader processes - especially the SOC.

If someone reports a real phishing attempt, and the SOC acts on it in minutes, that’s how you lower the cost of cybercrime. That’s the real goal.

When we train people well, they don’t just recognize phishing simulations, they also recognize real threats in the wild... that’s the proof that behavior is changing.

‍

_Sources

^{IBM Cost of a Data Breach Report – IBM Security, 2023
Verizon Data Breach Investigations Report (DBIR) – Verizon, 2024
Fogg Behavior Model – Behavior Design Lab, Stanford University
The COM-B Model for Behavior Change – The Decision Lab
ClickFix: The Social Engineering Technique Hackers Use – Group-IB, 2024}