Security Awareness Training: Our Secret To 90% Engagement

One-size-fits-all security awareness training isn't effective.

Not because people don’t care about cybersecurity. Not because they’re lazy or ignorant. But because the training they're given was never built to work in the first place. It’s boring. Irrelevant. And worst of all - it’s forgettable.

At Hoxhunt, we’ve spent years redesigning what effective security awareness training should look like. We’ve rebuilt the experience from the ground up to reflect how adults actually learn, what keeps them engaged, and how we can help them form better security habits.

And yes, it works. We consistently see engagement rates above 90%.

We dug into what actually makes security awareness training effective - from breaking out of compliance-only mindsets to building real behavior change on the All Things Human Risk Management Podcast.

‍

Compliance is the floor, not the ceiling

One of the biggest misconceptions about security awareness training is that it's all about compliance. Compliance matters - every industry has regulatory requirements that companies have to meet.

But just because you're compliant doesn't mean you're secure.

Traditional security awareness training programs are often built to “check the box.” They're designed around policies, not people and rarely help anyone change their behavior.

A strong security awareness training program is designed for people. It’s about making something employees use, not just something done to them. At Hoxhunt, we’ve flipped that thinking. Compliance isn't the end goal, it’s the baseline.

The true objective is to reduce human risk by embedding positive, proactive security behavior into everyday work.

How? By making security training:

• Frequent but non-intrusive
• Relevant to job roles
• Engaging and even fun
• Embedded into workflows
• Continuously adaptive to cyber threats

You can meet compliance and still build something that actually protects your people and your data. They’re not mutually exclusive. In fact, it’s easy to meet both of these needs… oftentimes, regulators want to see that training is active, consistent, and tied to risk reduction.

That last part is important - tied to risk reduction. Most regulatory requirements (from PCI DSS to GDPR to DORA) don’t mandate specific training formats or content. What they ask for is evidence that training is relevant, ongoing, and aligned with job roles.

A smarter way to train for compliance

At Hoxhunt, we don’t build training that just mentions compliance.

We design training that inherently fulfills it, while also being:

• Role-specific
• Actionable
• Short and respectful of people’s time
• Built on real-world threat scenarios

Hoxhunt auto-generates compliance-aligned learning paths based on user roles, risk levels, and industry. So if you’re in finance, you’ll get content mapped to DORA and PCI DSS. If you’re in healthcare, you’ll hit HIPAA alignment out of the box.

Our training out-of-the-box does this better and is closer to compliance than a lot of specifically custom-made content that a lot of organizations try to do themselves. Why? Because we start with behavior. We ask, “What do people actually need to do?” And then we reverse-engineer the training from that, rather than reciting the regulation back at them.

You don’t need to train people on specific articles

One of the most common mistakes in compliance-focused SAT is assuming people need to memorize legal clauses.

Users only need to know what they need to do in a situation. They don’t need to know what regulation it’s tied to unless their job specifically demands that.

Let’s say GDPR mandates secure handling of personal data. Instead of training users on the legal definition of "personal data," we show them what to do with an unprotected Excel file containing customer information. We make the behavior simple, repeatable, and easy to recall.

Behavior is the best proof of compliance

Regulators don’t want to see completion certificates. They want evidence that your program is actually working.

We have clear data on engagement, reporting, behavior, threat recognition, and improvements… we help teams demonstrate that awareness is more than just a one-off task. This means when the audit comes, you’re not just showing a report that says “95% completed the annual module.” You’re showing:

• A steady increase in threat reporting
• A decrease in dwell time
• Fewer repeat clickers
• Adaptive learning journeys mapped to user roles and risks

This is what modern regulators are looking for: proof that your people aren’t just trained - but prepared.

‍

The human element is still the biggest risk - but it doesn’t have to be

The human element is responsible for 60% of breaches. From phishing emails to social engineering threats, attackers know that the fastest way into an organization isn’t through a zero-day exploit. It’s through someone’s inbox.

And yet, the industry still struggles with how to train people effectively. That’s partly because so many programs ignore how adults learn. They treat users like students.

You can’t treat professionals like captive audiences. We’re not here to lecture... we’re here to support their success.

What adults need isn’t theory - they need tools. Real, actionable, in-the-moment guidance.

They need training that fits into their busy day, that respects their intelligence, and that gives them the confidence to spot and stop suspicious activity without fear of making mistakes. We’ve made that a core part of our security awareness training platform and the results speak for themselves.

‍

Engagement starts with relevance and empathy

One of the biggest myths we bust every day is that security awareness is “extra work.” One-size-fits-all doesn’t work in security awareness training. A salesperson and a finance controller face very different cybersecurity threats. Our approach accounts for that.

If we’re looking at training finance people, we want to actually speak to them in language that they understand… not just saying, "keep an eye out for suspicious invoices", because that’s what they already do as a baseline.

Instead of generic warnings, we get specific. We show what a compromised invoice actually looks like. We point out the correct fields to scrutinize and we deliver that message with a tone that treats the employee as competent -not naive.

This level of personalization isn’t a luxury... it’s a requirement. People tune out irrelevant content. They lean in when it reflects their reality.

This is where personalization is everything. Our training adapts based on:

• Role and department
• User risk level and behavior history
• Regional or industry-specific cyber threats
• Past interactions and learning paths

We’ve built a library of security awareness training content - but more importantly, it’s organized to target the right content to the right people at the right time. If it’s not relevant, it’s not effective.

‍

Gamification isn’t a gimmick - it’s a game-changer

Yes, we use gamification. But it’s not about turning security into a game just for fun. It’s about motivating behavior change in a way that’s meaningful and sustainable.

At Hoxhunt, employees earn points, climb leaderboards, and get feedback every time they interact with a simulation or training. These are light, positive motivators. They don’t interrupt work. But they keep security top of mind.

We’ve seen entire departments compete over scores. Managers celebrate top performers. And engagement soars... not because we force it, but because we’ve made it intrinsically rewarding. It’s subtle, but motivating. People start to care. And once they care, they pay attention. That’s when real change happens.

Hoxhunt also adapts to user performance. If someone’s struggling, the system eases up. If they’re excelling, we increase the challenge. It’s what we call adaptive difficulty, it’s part of how we personalize every employee’s learning journey.

What we’ve found is that the “game” isn’t the point - the progress is. Users aren’t just chasing points; they’re building confidence. They’re sharpening instincts.

This approach transforms security awareness training sessions into habit loops. These tiny, frequent wins reinforce behavior over time. Instead of relying on fear, shame, or passive content dumps, gamification gives people ownership. It taps into internal motivators and gives security a presence in their day without dominating it.

And it scales. Across hybrid work environments and global teams, gamification proves to be one of the key components for driving consistent engagement - without requiring more manual work from admins.

Hoxhunt users genuinely get excited about the leaderboard. Some departments even run competitions - with chocolate prizes. It sounds simple, but it’s one of the most effective aspects of our security awareness training methodology.

‍

Use phishing simulations to reinforce learning

Phishing simulations are essential to put learning from security awareness training into practice.

Theory is great. But people learn best by doing. That’s why our approach pairs ongoing phishing simulations with dynamic training modules that reinforce the lessons.

Here’s what that looks like in practice:

• Employees get simulated phishing emails that mimic real-world cybersecurity threats
• If they fall for it, they’re redirected to a short, contextual lesson
• If they report it, they get positive feedback and earn points
• Over time, the system adapts difficulty and security awareness topics based on behavior

This blend of theory and application leads to behavior change that actually sticks. Simulations give people real practice in a safe environment. That’s where habit formation starts.

It’s not about catching people out - it’s about building confidence. So, when a real phishing attempt hits their inbox, they’ll know exactly what to do.

Every interaction sharpens awareness and reinforces positive security habits. Over time, we see fewer clicks, faster reporting, and a measurable decrease in security incidents.

For admins, simulations double as diagnostics. With robust reporting, you can track employee responses, identify weak points, and understand behavioral trends across roles. It’s one of the most effective key components of any successful security awareness program.

This isn’t theoretical training... it’s applied learning, designed to reduce risk.

‍

Psychological safety is key to engagement

Many traditional SAT programs still rely on fear. They punish users for failures, schedule remediation training during lunch hours, and shame repeat offenders. It’s not just cruel, it’s counterproductive.

Instead of punishing users, we empower them. We give instant feedback after a report. We celebrate success. We track progress with visual dashboards that show real growth. And yes - we gamify it all in a lighthearted, motivating way.

This approach doesn’t just improve morale, it leads to better results. People don’t fake engagement. They genuinely participate, and over time, they build muscle memory.

‍

How we turn high training engagement into secure habits

Behavior change isn’t a one-off event. It’s a long game. If you want employees to not just learn, but actually act differently in high-stakes moments, you need to make secure behavior second nature. That’s the goal of security awareness: creating a security-conscious culture where positive employee behavior becomes the norm.

We’re not in the business of “gotcha” moments and we don't expect shifts overnight… just getting a foot in the door with someone who’s disengaged is massive. That’s why we focus on habit formation.

The idea is simple: small, consistent actions lead to lasting change.

Our adaptive training evolves with the user. Whether someone is a first-time clicker or a seasoned report pro, we nudge them forward at their own pace. This avoids both burnout and boredom - a major failure point for traditional SAT content.

People stay engaged… they even can build up excitement - which for corporate training, can’t be said often.

Habits aren’t formed through fear

Traditional cybersecurity training still leans on fear to drive engagement - reminding users that one bad click could lead to costly security breaches or reputational damage.

Fear is a fantastic short-term motivator but if we constantly try to motivate people in this way, they’re just going to experience emotional burnout.

Instead, we use gamified learning experiences to support people through behavior change. Our security awareness training software focuses on building long-term security behaviors through encouragement, not shame. The result is less anxiety and stronger user awareness.

Hoxhunt uses simulated phishing attacks based on real-world scenarios, not just basic phishing templates, helping people form instincts that reduce human cyber risk

You can almost see the gears in someone’s head shifting… Whether it’s a phishing simulation or deepfake training, they realize: this could actually happen to me.

That’s why we design every interaction to mirror real-world vulnerabilities. These aren't just concepts from a textbook; they're potential threats users will likely face. And the moment they realize that? That’s when security controls start becoming habits.

Habit building isn’t linear (and that’s OK)

Not every employee will respond to training the same way. Different employee roles, learning styles, and even departments require different nudges.

That’s why our platform adjust difficulty levels and content based on behavior over time. As long as we can continue to have them give us a chance, we can slowly bring them round… Just showing up with something relevant and human is sometimes enough to re-engage.

We don’t believe in overwhelming employees. Instead, we tailor the experience, minimizing cognitive load while maximizing impact.

Repetition builds resilience

This all adds up to something powerful: a workforce that’s not just compliant - but prepared.

It’s the consistency of Hoxhunt training that picks people up at the right moment - when they’re finally ready to change - and carries them forward.

With Hoxhunt, employees aren't just completing mandatory security awareness training. They’re building a reflex. They’re reducing the likelihood of security breaches. They're becoming part of a culture of vigilance.

And when they report suspicious emails, it’s not because they’re told to - it’s because they know it protects their team, their company, and their own work. That’s real return on investment. That’s a robust security culture.

‍

Metrics that go beyond completion rates

Most security training programs track things like completion rates and quiz scores.

We do that too, but we go much deeper. Our real focus is behavioral metrics.

Engagement over time, reporting rates, repeat clicker reduction, and behavior change… this informs how quickly people report real threats and how they react during real incidents.

These metrics are about understanding how effectively your program is driving real reduction in risky behavior and enhancing resilience against security threats.

This is also why we care so much about “dwell time” - the gap between encountering a suspicious email and reporting it. A drop in dwell time indicates better instinctual responses. It means people are building reflexes, not just filling checkboxes.

Most vendors will show you how many people completed a course. We show you:

• Reported a real phishing email
• Reduced risky behaviors
• Improved over time
• Recovered after mistakes
• Became champions of security awareness

We focus on behavioral metrics because they tell us whether our training is working. Completion rates are easy to fake but behavior change isn’t. Yes, we want to boost overall engagement, but we also want to see that this translates into real risk reduction.

Our customers get access to rich dashboards that track:

• Engagement over time
• Repeat clicker trends
• Reporting rate improvements
• Speed of threat recognition
• Department-level risk breakdowns
• User risk profiles

These aren’t just vanity metrics. They’re actionable insights that help security teams spot vulnerabilities, guide improvements, and prove the ROI of security awareness.

‍

Embedding security into your company culture

You won't move the needle on security awareness engagement if it doesn’t become part of your culture.

That means moving beyond one-off campaigns and treating SAT as an ongoing, embedded experience. It means showing employees that security isn’t a separate job... it’s part of their job.

We do this in three ways:

1. Embed into workflow: No login portals. No giant PDFs. Our training fits into inboxes, tools, and daily routines.
2. Make it human: Real language, real stories, and a tone that respects users.
3. Celebrate success: Recognition, leaderboards, and positive reinforcement - never punishment.

At the end of the day, training can only do so much. Culture is the real goal.

You know your program is working when people start speaking up. When they double-check a sender’s email, when they ask if it’s okay to use a new AI tool or when they post in Slack about a weird message and tag the security team. That’s not just behavior change. That’s cultural shift.

People comparing their Hoxhunt scores… people staying and being more proactive… that forms the basis of a strong security culture.

And no, not everyone will talk about security awareness programs around the watercooler. But they’ll think differently. They’ll act more cautiously. And they’ll feel safe reporting mistakes instead of hiding them. That’s the future we’re building. One interaction at a time.

And it works. When people feel empowered, not policed, they engage more, report more, and take ownership of their role in preventing cyber threats.

Our Phishing Trends Report found that when phishing training is based on chnagung employee behavior, they can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing attack incidents per organization by 86%.

‍

Engagement plateaus? Here's the fix

Even the best security awareness training programs eventually hit a wall.

Engagement starts strong but then the numbers dip. People stop clicking. Reports drop off. Admins start asking, “What happened?”. The problem isn’t with your users - it’s with how the training is evolving (or not).

Plateaus and drops can come from fatigue, repetition, or even a perceived lack of value… people stop seeing the point. It’s the clearest sign we have.

Most of the time, disengagement doesn’t mean people are lazy. It means they’ve tuned out. They’re overloaded. They feel like they’ve already seen this training before or they feel like it was never relevant to begin with.

So, what’s the solution?

1. Refresh the content

You can’t show people the same tired phishing email every quarter and expect them to care. We help customers turn this around by refreshing the content… sometimes all it really takes is a well-targeted scenario, a truly tailored and relevant training package.

That could be something topical, like a deepfake attack. It could be role-based, like a phishing attempt spoofing a LinkedIn recruiter for the sales team. Or it could just be fun.

One of our favorite stories was a simulation where the phishing email promised Beyoncé concert tickets. It wasn’t even based on a real attack, but the response was incredible… It got people talking in the break room.

Sometimes, you don’t need a cutting-edge exploit to grab attention. You just need a new angle that makes people stop and say, “Wait... what is this?”

2. Adjust the cadence

Engagement fatigue often happens when training becomes too predictable or too interruptive.

If training is rare, people forget. If it’s constant and disruptive, people tune out… the sweet spot is small, frequent, and respectful. At Hoxhunt, we’ve found that micro-learning (bite-sized, spaced-out training with adaptive difficulty) works best.

People aren’t overwhelmed, and they aren’t bored. They’re challenged just enough to stay interested. And because the training meets them in their flow of work, it doesn’t feel like a burden. That means fewer “ugh, another training” eye-rolls and more actual learning.

3. Personalize the experience

This one’s non-negotiable. If you want sustained engagement, the training has to feel personal. When someone feels that the training is actually made for them, they’re going to be more willing to give it a chance.

That could mean using their name, referencing their department, or tailoring the threat type to their role. It could also mean acknowledging their journey: “Hey, you’ve improved. Here’s what’s next.”

And when someone’s totally checked out? Shift the tone. Move from “You must complete this” to “Here’s something that might help.” You’re not trying to win them back in a single day you’re just trying to earn another shot.

‍

AI-enhanced customization: security awareness training that evolves with the threat landscape

Security threats evolve fast. So training needs to move faster.

Generative AI helps us do just that. We use it to generate, test, and deploy new training content on emerging threats - including deepfake spear phishing, AI-generated phishing campaigns, and novel social engineering techniques.

We use generative AI to help us stay ahead of the curve by:

• Rapidly generating training content based on new threat intel
• Creating hyper-personalized simulations at scale
• Adapting language and complexity to user profiles
• Localizing content for different regions and cultural nuances

For example, if an employee’s behavior suggests they’re at higher risk for credential harvesting, our platform can automatically enroll them in additional training that targets those specific tactics.

‍

Why Hoxhunt security awareness training works: Training people actually want to complete

Organizations are facing a rapidly evolving threat landscape of cyber attacks, from Insider threats to deepfake-based social engineering attempts. Yet most security awareness training programs are still stuck on completions instead of tangible behavior change.

That’s why we built Hoxhunt's security awareness training differently. It’s designed to reduce human error instead of just raising employee awareness.

What makes it different?

• Drive next-level user engagement by tailoring it to every employee role, department, location, and more to ensure your message resonates.
• Encourage secure behaviors with gamified awareness and interactive elements that minimize disruption and proactively fill in their skill gaps.
• Meet training requirements with a library of ready-made training packages covering a wide range of security topics and automate targeting/distribution with advanced workflows.
• Personalized training campaigns that adapt to employee behavior, role, risk level, and even department-specific security practices.
• A deep reporting engine for security teams that goes beyond completions to track real behavioral improvements. Easily measure program performance over time with powerful dashboards.
• Powerful integrations with everyday tools, from Microsoft Outlook and Teams to Google Workspace and Slack.

‍

Make security stick: How AES transformed engagement

Take AES, a Fortune 500 global energy company. With operations in 14 countries and thousands of employees, they needed more than just check-the-box annual training - they needed to move the needle on human cyber risk.

By rolling out Hoxhunt’s adaptive training across their global teams, AES saw a dramatic shift in both engagement and real-world behavior:

• 91% reporting rate across users
• 69% reduction in repeat clickers
• 67% drop in human risk score

More importantly, they built a scalable, people-first program that fosters a genuinely strong security culture - without overwhelming employees or adding complexity for admins.