How to Achieve 90%+ Reporting and Completion Rates (Without Forcing Anyone)

Achieving high reporting rates on phishing simulations or completion rates on security awareness training is a goal for almost every cybersecurity team. It’s often a KPI, reported to senior leadership.

While I'm not a fan of following up on completion rates, it's clear that the more people are engaged, the more they become an active part of your human defense layer.

But getting there? That’s a challenge.

Most team stay stuck between 10-40% when training is voluntary.

With Hoxhunt, on average more than 60% of employees are engaged in the training after just one year.

‍But some organizations manage to push past 85%, even into the 90s. What's their secret?

‍

What's the cost of making training mandatory?

When numbers stall, many turn to the obvious lever: enforcement.

"If you don’t complete the training by next Friday, your account will be suspended."

"If you don’t report phishing emails, your access to the internet will be restricted."

These tactics can boost numbers quickly. But they come at a high cost.

People comply, but they don't learn.

Worse, they start resenting security.

Adults don’t like being forced. When they associate cybersecurity with punishment or coercion, they disconnect emotionally.

The next time you need them to do something - report an incident, follow a new policy, or even just listen - they'll be less likely to do so.

It becomes a vicious cycle: the more you push, the more resistance you create.

And so you push harder.

And people resist more.

This is not just anecdotal. Research in psychology- notably Self-Determination Theory (Ryan & Deci, 2000) - shows that when people feel controlled, their intrinsic motivation drops.

They may comply temporarily, but long-term engagement suffers. In environments that feel coercive, people often disengage, avoid the task, or do the bare minimum.

‍

Psych insight: What is self-determination theory?

Developed by psychologists Edward Deci and Richard Ryan, Self-Determination Theory (SDT) identifies three core human needs that foster motivation and engagement:

• Autonomy: the sense of having control over your actions

• Competence: the feeling that you can succeed and improve

• Relatedness: the desire to feel connected and part of a group

When these needs are satisfied, people are far more likely to engage deeply, learn effectively, and build habits that stick.

Reference: Ryan, R. M., & Deci, E. L. (2000). Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist, 55(1), 68–78.

‍

1. Collective motivation: make it a team win

I've worked with two organizations who decided to tie reporting and completion rates to team or department-level objectives.

Each department could freely select from a list (the same list for the whole company) 3-4 key goals per year. Cybersecurity reporting or completion rate was one of the goals in the list. If the department hit its goals, everyone received a bonus.

It wasn’t a punishment if they didn’t succeed.

It was a reward if they did.

Because the department chose the objective, they had agency - or autonomy, as per the Self-Determination Theory.

And when the bonus depended on the collective achievement, team leaders took ownership. Cybersecurity became a shared priority—not something "pushed" from above.

One organization even held a year-end celebration for departments that reached all their targets, with cybersecurity mentioned and celebrated alongside revenue and customer satisfaction.

This public recognition helped embed cybersecurity into the department’s identity and culture.

You can also go beyond bonuses.

Some companies offer extra team-building budgets, social outings, or even trophy-style awards for departments with the best reporting or completion metrics.

These create a friendly sense of pride and ownership - and turn cybersecurity into a visible win.

‍

2. Individual motivation: gamify, recognize, reward

Gamification is not a gimmick.

It’s a powerful psychological lever. People are wired for progression, feedback, and recognition.

Hoxhunt is deeply gamified by design.

It includes:

• Stars: You earn stars every time you report a phishing simulation or complete a training module.

• Badges and achievements: These mark key milestones and help users track their progress visually.

• Leaderboards: Employees can see where they rank, and departments or countries can also see how they do against each other, triggering healthy competition.

• Adaptive difficulty: The more skilled users become, the harder their challenges get.

These built-in mechanics mean that recognition, challenge, and feedback are part of every interaction. This isn’t about gimmicks; it’s about creating a sense of agency and mastery.

At one company, I also ran a more formalized quarterly phishing competition.

Top reporters earned swag items and got recognized in internal comms.

We also highlighted the top-performing departments. 

The swag didn’t cost much. But it was exclusive.

It made people feel like part of something special (remember the "relatedness" element of the Self-Determination Theory).

This article in the intranet was the one that systematically received the most engagement, every quarter, making the communications department jealous!

And don’t underestimate the power of the personal touch.

In one company, every time someone reached 10 reported phish, they received a personalized thank you email from a senior leader.

That alone drove significant increases in long-term engagement.

‍

3. Make it easy: friction kills engagement

Motivation matters. But so does accessibility.

Want more people to complete training?

Keep it short.

No 20-minute video, no 45-min e-learning.

Micro-learning moments that are under two minutes but distributed continuously help make security seamless and part of the daily workflow.

Want more people to report?

Add a one-click button to their inbox.

Make it visible, colorful, without any latence when people click on it.

Make sure people can access the training and reporting platform without friction:

• Hoxhunt supports Single Sign-On (SSO), which means employees can jump in and out of the experience without logging in again.

• The platform is available in 37 languages, making it accessible to a truly global workforce and helping people absorb information in their native language.

• Finally, the UI and UX are modern, clean, and intuitive, with a focus on simplicity. The design feels more like a consumer-grade app than traditional corporate training software.

But above all: make the content relevant.

How can we expect people to engage with content that is not targeted and helpful to them?

• Customize the training to your organization, policies and culture. Off-the-shelf training is helpful, but spending some time to customize it makes it a million times better.

• Tailor training by role. Warehouse staff need different examples than finance teams..

• Adjust difficulty based on ability. Hoxhunt’s adaptive phishing does exactly that—you get more challenging simulations as you succeed, and easier ones if you struggle. This aligns with the "Zone of Proximal Development" concept from Vygotsky.

When content is easy, relevant, and appropriately challenging - and available in the right format and language - people engage.

Let’s not forget an obvious but powerful tool: reminders.

Hoxhunt allows you to send reminders via email, Microsoft Teams, or Slack when someone misses a training or simulation.

These reminders can even be sent to their manager, which gently reinforces accountability without needing to escalate.

It's a simple feature, but a remarkably effective one to keep participation high without ever needing to force it.

‍

4. Lead by example: make security part of the culture

If you want to sustain high engagement over time, security needs to go beyond training tools and KPIs.

It must become part of the company culture - a shared responsibility that’s talked about and led from the top.

The message is always more powerful when it doesn't just come from the security team.

I've seen organizations where the CEO consistently mentioned cybersecurity in every all-hands meeting.

Boards requesting regular updates on the company’s human risk posture.

Some companies even made cybersecurity one of their core values.

Mot buried in a policy, but visible on posters, onboarding decks, and performance reviews.

This kind of leadership support matters deeply:

• It tells employees this isn’t just a checkbox—it’s a strategic priority.

• It encourages team managers to follow through and create space for learning.

• It sets an example: “If our leaders take this seriously, so should I.”

And when senior leaders participate in campaigns - sharing their phishing scores, congratulating top reporters, or publicly thanking teams who improved their behavior metrics - it creates momentum.

That shared sense of purpose can’t be faked, and it’s often what takes reporting and training participation from good to outstanding.

‍

Final thoughts

You don’t need to be the bad cop to get great results.

If you want to push past 85% completion or reporting rates:

• Don’t force. Inspire.

• Don’t punish. Reward.

• Don’t frustrate. Simplify.

When you combine smart behavioral science with empathy and creativity, your people will not only engage - they’ll become cybersecurity champions.

And the best part?

They’ll actually want to do it again.