Last week, I did the unthinkable: I snapped Dustin Sachs’ eight-game unbeaten streak in the CISO Fantasy Phish Bowl. The young rook out of Wichita was cruising toward the first perfect season in league history. But I drew on decades of experience to put a stop to this upstart fantasy manager's magical unbeaten season.
Thanks to a 43-point explosion by all-world tight end Brock Bowers, a few ill-timed injuries, and some flat performances from Dustin’s otherwise dominant squad, I squeaked out the win. It felt like a playoff game — the kind where every lineup decision, every risk, every gut call matters.
And that’s what makes fantasy football so addicting. Every Sunday, we’re practicing. We’re testing theories, learning lessons, analyzing performance, and adapting to what we’ve seen on the field. Each lineup is a living experiment in risk and reward, probability and instinct, strategy and luck.
And it got me thinking about human cyber performance — because just like fantasy football, cybersecurity outcomes depend on practice.
The Practice Effect: From the Gridiron to the SOC
When we talk about human risk, we’re really talking about performance. It’s about how people behave — under pressure, under attack, or under fatigue.
Do they recognize the phish?
Do they report it?
Do they pause before they click?
Performance doesn’t improve through one-off tests. It improves through practice.
Athletes don’t learn to execute a two-minute drill by watching PowerPoints. They train — they run routes, lift weights, and scrimmage under game conditions until their decisions become automatic.
It’s no different in cybersecurity.
To change behavior, people need repetitive, meaningful, context-rich practice. The goal isn’t to catch them off guard. It’s to help them get better — week after week, month after month — until the right behavior becomes habit.
The Habit Loop: Tony Dungy and the Power of Repetition
In The Power of Habit, Charles Duhigg tells the story of legendary NFL coach Tony Dungy, who turned the Tampa Bay Buccaneers from perennial losers into contenders. His philosophy? Drill the right responses so often that in high-pressure situations, players reacted automatically — without thinking.
Dungy rewired their habit loops:
- Cue: Ball snapped.
- Routine: Defensive lineman reacts instinctively, not analytically.
- Reward: The play stops dead.
They practiced these loops until they were embedded in muscle memory. When tragedy struck — the loss of Dungy’s son — the team came closer together in a sense of shared, epic meaning (more on that "epic meaning" term below, as a core principle of gamification design theory). They played with poise and purpose because their behaviors were now who they were.
That’s the essence of cyber performance. We can’t expect people to think through every click in the middle of a busy day. We have to help them build security habits that activate automatically.
And the way we do that is through gamified practice.
The Game Behind the Game
A few years ago, I participated in an interview with Yu-kai Chou, the godfather of gamification, and his Octalysis Framework — a map of the eight core human drives that motivate behavior.
“The number one misconception,” Yu-kai said, “is that gamification is about making games. It’s not. It’s about making real-life activities feel as rewarding and meaningful as games.”
Gamification is how we make cybersecurity practice engaging instead of punitive. It taps into the same drives that make us love real sports and fantasy football — progress, mastery, community, unpredictability, accomplishment, and epic meaning.
Think about it:
- In fantasy football, every player decision earns feedback (points).
- In cybersecurity, every reported phish earns feedback (reinforcement).
- In both, progress is visible and rewarding.
When done right, gamification turns the grind of learning into an engine of continuous performance improvement.
How Hoxhunt Turns Cybersecurity into a Practice Sport
Hoxhunt was founded on this idea back in 2016.
Co-founders Mika Aalto and Pyry Åvist were frustrated with traditional security awareness training. It checked compliance boxes but didn’t change behavior. Employees dreaded it. Engagement was low. Risk stayed high. Behaviors remained unchanged.
So they took inspiration from Yu-kai Chou’s Octalysis Framework and built a system that made cybersecurity training feel like a game — not a lecture.
Here’s how:
- Behavior-Based: The game is built around the single most valuable skill: reporting phishing emails. Every correct report earns points.
- Adaptive Difficulty: Training adjusts automatically to each person’s skill level and progress, just like an online game that levels you up as you improve.
- Instant Feedback: Users get immediate responses — “You caught a phish!” — reinforcing learning through positive feedback.
- Epic Meaning: People see how their actions protect not only themselves but their teammates and the entire company.
- Social Connection: Leaderboards and team challenges foster friendly competition and shared accountability.
Over time, this turns cybersecurity from a compliance exercise into a practice discipline — one that’s fun, measurable, and habit-forming even after dozens of micro-trainings a year.
And the results?
They speak for themselves:
- 9x improvement in threat reporting within the first year.
- 10x increase in real phishing reports.
- Massive reductions in failure rates and dwell time.
These cyber performance stats prove that practice builds cyber habits — and those habits reduce risk.
Real-World Wins: From AES to Qualcomm
Gamified training isn’t theory — it’s working in the real world.
Qualcomm transformed its “Risky 1K” — the 1,000 employees most likely to click on phishing links — into its most resilient group. In less than six months, those same employees went from twice as risky to twice as resilient as their peers.
Their secret?
Practice.
Not punishment.
The Broader Game of Life
Gamification isn’t just for cybersecurity or sports. It’s how the best platforms on Earth motivate us:
- Duolingo turns language learning into a streak-based game.
- LinkedIn gamifies career development with “profile strength.”
- Habitica makes personal productivity into an RPG quest.
- Salesforce motivates sales teams with leaderboards and badges.
Each uses the power of practice and feedback to build lasting habits.
The same formula applies to cybersecurity:
Define the desired behavior → Create continuous, rewarding opportunities to practice it → Reinforce success → Build culture.
Practice Makes People
When I beat Dustin Sachs, it wasn’t luck (okay, maybe a little). It was the power of practice — years and years of practice and preparation that sets your roster up for its best chance at success. Tinkering, learning from mistakes, and refining instincts. Oh, and having Brock Bowers on his first big week of the season at just the right time. OK, so there's some luck involved, but let's not fight the metaphor.
The real players — the Brock Bowerses of the world — spend every day training to perfect their craft. We fantasy GMs do our version of that from our couches. And in cybersecurity, it’s the same principle.
You can’t expect people to perform at a high level under pressure if they haven’t practiced the playbook.
The human side of cybersecurity isn’t about compliance, blame, or fear. It’s about empowering people to perform — to make good decisions when it matters most.
That’s what the Fantasy Phish Bowl is really about at its core: practice, performance, and learning from every win and loss.
Because whether you’re chasing championships or blocking phishing attacks, the truth holds:
Practice doesn’t make perfect. Practice makes permanent.
Stay tuned next week as we head into the playoff push. Dustin will be back with vengeance, and somewhere out there, another CISO is scheming their own comeback. The season — and the practice — never really stops.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt
%20copy.webp)
