Uber reduces human risk with CSO Award-winning signal-driven behavior management

Co-creating an award-winning Human Risk Management model with Hoxhunt

When Uber saw they weren't getting the results they wanted, they just built the system they needed.

Uber charted a new path to Human Risk Management upon recognizing that traditional compliance-based awareness couldn’t reduce risk effectively. Their CSO Award-winning “Beyond the Checkbox” program—led  by Jason Harper, Head of Security Diligence, Analytics, Vendor Risk, and Awareness; and Yinka Badmus, Head of Security, Global Risk & Compliance—represents something genuinely rare in enterprise security: category-defining innovation executed at scale.

Working closely with Hoxhunt, Uber co-developed unique capabilities for behavioral signal-based nudges and timely micro-trainings. Many of these capabilities are now part of Hoxhunt’s HRM platform.

The core innovation lies in the program’s behavior-first architecture. Human risk is modeled not as a knowledge deficit but as an outcome of context, timing, cognitive load, and workflow pressure. Accordingly, the system observes and acts on user behavior across multiple domains, including:

• Phishing outcomes
• Incident response data
• Vulnerability and bug tickets
• Data handling events
• Policy exceptions
• Endpoint and network telemetry
• Emerging external threat intelligence

Those signals are translated into targeted, just-in-time interventions. Learning content is delivered through personalized microlearning modules, which are triggered by relevant events, rather than cookie-cutter training pushed out on a fixed schedule.

Content is dynamically selected with AI capabilities based on role, behavior patterns, and observed risk indicators.

“Phishing simulations through Hoxhunt are just one part of a much broader system driven by real-world signals. The Hoxhunt behavioral signals capabilities are critical for us because they allow us to intervene at the moment of risk, not after the fact.” – Jason Harper, Head of Security Diligence, Analytics, Vendor Risk, and Awareness

Driver and Co-Driver: Scaling HRM Together

Uber re-framed people as dynamic risk signals within the security ecosystem. Rather than relying on annual security awareness training or static phishing programs, the team hypothesized that real risk reduction would only come from continuously observing human behavior, interpreting it through context, and responding with targeted, timely interventions.

Realizing this vision with Hoxhunt required welding together capabilities that traditionally lived in silos and treating them as inputs into a behavioral risk model.

Behavioral signals are sourced from:

- Detection platforms

- Phishing simulations

- Development workflows (e.g., JIRA)

- Endpoint telemetry

These signals are then analyzed to determine who needs intervention, what behavior needs correction, and when that intervention will be most effective.

“By using a platform like Hoxhunt alongside our telemetry and AI systems, we have a much better picture of what people actually need—versus what we think they need—and that’s what allows us to target behavior and drive real change.” –Jason Haper, Head of Security Diligence, Analytics, Vendor Risk, and Awareness

The whole system is designed to meet people where they’re at for personalized cyber skill development. Messaging and nudges are embedded into existing collaboration platforms and delivered through tools employees already use, like Slack, reducing dependency on email or LMS-driven workflows.

It’s a closed-loop system: behavioral signals inform interventions; interventions influence behavior; resulting changes are measured and fed back into program design. Users’ threat reports are transformed into hyper-realistic phishing simulations. This feedback loop allows continuous refinement of both content and targeting strategies.

“We didn’t want a traditional training platform—we wanted something that could take real security signals and turn them into just-in-time awareness. That vision became possible through close collaboration with Hoxhunt.” – Jason Harper

Automating smart interventions that drive real results

Jason and his team deliberately built a behavior-driven, telemetry-informed Human Risk Management system years before HRM was formally recognized as a category.

And they did so with minimal resources, a 2-person team, and a mandate from leadership to prove real risk reduction at no additional expense.

The results have earned internal praise from leadership and external award recognition. Uber’s HRM program materially outperformed their traditional security awareness training both quantitatively and qualitatively, while operating at minimal incremental cost.

1. Engagement and training effectiveness improved dramatically. Security training completion rose from pre-to-post Beyond the Checkbox from roughly 60% to over 90%, despite the fact that training engagement shifted from forced compliance to voluntary participation.
2. Awareness engagement grows continuously. The program delivered a 50% year-over-year increase in Cybersecurity Awareness Month engagement, including a 50% growth in attendance across live events. Historically, broad awareness campaigns struggled to attract attention, but sustained, just-in-time microlearning and high-signal communications throughout the year built sufficient trust and relevance to materially change participation.
3. People love it! 96% of respondents stated that the training was valuable, and 98% reported confidence in making secure decisions at work. These results are especially notable given Uber’s scale (≈40,000 users) and the historically low engagement typical of annual, compliance-driven programs.
4. Security maturity measurably increased. Uber’s internal maturity assessment (CMM-style capability model) improved 54%, jumping from approximately 2.6 to 4.0. The score reflected dramatic progress from reactive, compliance-oriented practices to a predictive, continuously improving model spanning awareness, policy, training, and behavior-based risk management.
5. Phishing resilience and reporting improved. Uber transitioned from periodic, static phishing tests to continuous, adaptive phishing simulations, delivering 100,000+ simulations across 500+ unique scenarios globally. Failure rates declined to a level Uber considers acceptable for its industry and threat profile, while reporting behavior normalized across the organization.
6. Operational efficiency increased and support burden decreased. The introduction of self-service tools—most notably the AI-powered Security Policy Advisor embedded in Slack—reduced Tier-1 security and policy inquiries and shortened resolution times from days to seconds.

“We now have a much clearer picture of what people actually need—not what we assume they need—and that’s what allows us to drive real behavior change…It’s about moving from static training to something that responds to real behavior. When people see something and report it, that becomes part of the system—that’s Human Risk Management.”

AI-driven automation: Big wins for small teams

Generative AI is applied pragmatically—not as a novelty—to accelerate content creation, summarize policies, generate microlearning modules, and power self-service tools such as an AI-based Security Policy Advisor that provides near-instant guidance without human escalation.

The AI-driven Policy Advisor integrates generative AI for policy comprehension and self-service enablement. Employees can make queries about security requirements and receive immediate guidance. This capability reduces ticket volume, equips people with better security decision-making skills, and maintains policy fidelity.

By delivering the right microlearning or nudge to the right person at the right moment, Uber reduces human-driven security risk without increasing friction, cost, or fatigue. Uber demonstrates that HRM is not a future concept—it is an achievable, scalable strategy.

“The combination of behavioral signals and automated delivery is what makes this model scalable. We’re able to meet people where they are without adding operational burden.” – Jason Harper, Head of Security Diligence, Analytics, Vendor Risk, and Awareness

Leadership was supportive of Jason pursuing his vision of a dynamic HRM system, but his mandate involved strict resource and budget constraints. No added headcount or increase in budget; and demonstrably superior risk reduction.

Uber achieved their stellar results without adding costs, notably by integrating Hoxhunt with existing platforms. They quickly showed ROI through cost avoidance and scalability.

Hoxhunt enabled the dynamically personalized program to be delivered to over 25,000 employees by a two-person team. By preventing incidents, reducing investigation workload, lowering training overhead, and minimizing productivity disruption from security events, the program delivers strong implicit ROI through cost avoidance and operational leverage.

Collectively, these outcomes validate Uber’s original hypothesis: managing human behavior as a dynamic risk surface—rather than relying on static training—produces measurable improvements in security posture, engagement, and operational efficiency, even at global scale.

“We build microtraining in Hoxhunt, use behavioral signals to decide who needs it, and then deliver it in a way that’s relevant and timely. That combination—signals plus the ability to rapidly create and deploy content—is what makes the whole model work.”

‍