Transforming Cybersecurity Culture through Security Behavior Change

Europe’s second-largest port is a pillar of Belgium’s critical infrastructure. That sector is facing increasingly sophisticated cyberattacks in today’s geopolitical landscape and AI-driven climate of advanced social engineering tactics.  

“The board and our internal audit team look at a broad range of risks for the company, from climate change to container capacity to cybersecurity. We track the top 15 risks, of which cybersecurity is number one.

Port of Antwerp-Bruges recognized the rise of cyber-attacks when they reinvented their IT department back in 2018 from a perceived cost center to an important business driver. Core to this vision, Yannick Herrebaut’s role as the organization’s first CISO was created, along with the Cyber Resilience Department. They were established to address the evolving threat landscape, and have come to focus on human-targeted attacks.

One of Yannick’s first initiatives as CISO was to create a user awareness program to foster a cybersecurity culture within the organization. A one time phishing benchmark that was conducted earlier showed some concerning results. It was clear that the employees were quite gullible and relied too much on technical measures to keep their company assets and data secure.  

“The user awareness score reflects the effectiveness of our user awareness program in reducing human cybersecurity risks. We track metrics such as click rates on simulated phishing emails, completion rates for security training, and improvements in employee behavior over time. We also monitor the number of reported incidents and the level of employee engagement with security initiatives. During the time we used a different tool, we only sent out 4 generic campaigns  per year. The results varied greatly, depending on the difficulty of the template and some other factors. However, since we’ve been using Hoxhunt, we noticed a stable and high level of user awareness.”

Dropping the SAT model. Adopting security behavior change capabilities.

The process of selecting the right human cyber-risk management product was challenging. They needed to consider:

• Public procurement legislation in Belgium

• Rigorous compliance standards
• Multiple training content languages  
• Maximum automation for limited operational resources
• Robust reporting capabilities for board reporting and human risk management

The first tool they selected was an e-learning SAT tool, but after two years of using this product, it became apparent that it came with some drawbacks:

• Time-and-resource-intensive: Yannick’s team had to manually customize, send, and analyze the results of phishing templates from a library.
• One-size-fits-all content: Training did not adapt to individual strengths and weaknesses.
• Infrequent campaigns: About one phishing simulation sent per quarter.  

• Predictable: Employees started recognizing the patterns and warning others about the ongoing tests.
• Vanishing engagement: Decrease in participation, from 90% to 50% after two years.  
• Language barriers and content limitations.

AI-enabled security behavior change model

Hoxhunt's solution shifted training from the one-size-fits-all legacy SAT model to a personalized learning journey focused on good cyber-behavior: threat reporting. Enabled by AI, the platform was easy to use for the admins, and the gamified content was enjoyable for employees. Engagement rates and positive feedback soared. Yannick credits the success to:

• Realistic, personalized and unpredictable simulated attacks  
• Dozens of automated phishing simulations per year

• Gamified learning journey
• Extensive reporting capabilities
• Easy-to-use interface for incident response

Measurable behavior change and risk reduction

The success of Hoxhunt was reflected in the organization's awareness score, which Yannick carefully developed as a corporate KPI. Previously, the awareness score varied greatly between 24% and 83%, but with Hoxhunt, it quickly reached over 90% and has stayed there for more than a year. Secure email behavior became standard operating procedure.

"The continuous and engaging nature of Hoxhunt's phishing simulations, along with the measurable improvements in our awareness and performance metrics, have greatly contributed to our organization's cybersecurity culture and overall security posture."

Board reporting KPIs to secure buy-in and budget

Being able to report on progress is important to both Port of Antwerp-Bruges as well as the Cyber Resilience Department. Between the people, processes, and technology composing the security stack, Yannick and the board focus on the human aspect of cybersecurity, still one of the biggest risk factors.  

“KPIs in awareness and security behavior change are important because you should know what’s happening with your program and be able to report risks and trends to the board. You need good metrics to guide good decisions. I cannot walk into a board meeting and say, ‘Thank you for the money, I promise I will spend it wisely.’ I must give something in return. I believe in this approach, and I appreciate the extensive reporting capabilities that Hoxhunt provides because they help me tell the story to management more effectively.”

The Port has a dynamic list of 15 different existential risks to the organization, ranging from cybersecurity to climate change and capacity for shipping containers. This past year, cybersecurity emerged as the top risk to the business. And social engineering is one of the top challenges they seek to mitigate within cybersecurity.

Additionally, they highlight risks to mission-critical assets, compliance efforts related to the European NIS Directive, and overall information security policy. Compliance with these regulations is crucial for avoiding legal and financial consequences.

“Overall, the board is highly interested in our initiatives and results, as cybersecurity has been identified as the top risk for the company. By sharing these KPIs and demonstrating our progress in mitigating human cybersecurity risks, we ensure that cybersecurity remains a top priority and receive the necessary support and resources to continue our efforts.”

Automated SOC response

The behavior change training has conferred measurable impact on threat detection and human cyber-risk reduction. There was a tremendous upswell in the threat feed as employees began reporting suspicious emails as a matter of habit.  

‍

‍

Threat detection:

• 2,200 malicious emails reported (and contained) in the previous year
• Over 2/3 of active Hoxhunt participants reported at least one email attack

Over 2/3 of active Hoxhunt participants reported a suspicious or malicious email within one year of commencing training. There is no better outcome of a phishing attack than a threat report. And there’s no better proof of behavior change than real threat detection.

A threat report removes the danger from the system and alerts the SOC team so they can eliminate or contain the threat before the damage spreads.  

Rather than be overwhelmed by the response, the SOC team leverages Hoxhunt’s AI-enabled Response Platform. It does the work of multiple FTEs of SOC analysts by automatically orchestrating the threat feed data to categorize reports and prioritize incidents. The result is significantly augmented and accelerated threat detection and response capabilities.

“We have seen a change by orders of magnitude in our employees’ online behavior with Hoxhunt in terms of real threat detection. This proves that the training is having a real-world effect on people, and is measurably reducing our cyber-risk. The fact that the Hoxhunt platform automatically analyzes these threat reports means we can optimize our efficiency and the quality of our SOC team’s work.”

‍