How to Measure Behavior Change: Moving From Awareness to Real Risk Reduction

In this inaugural episode of the All Things Human Risk Management podcast, Eliot Baker sits down with Maxime Cartier, Head of Human Risk at Hoxhunt, to discuss the evolution of security awareness and the future of human-centric cybersecurity strategies.

Maxime draws from his rich background in cybersecurity awareness to explore why traditional methods fall short - and how organizations can drive real behavior change.

‍
The limitations of traditional security awareness

Traditional security awareness programs, rooted in compliance and education, are no longer sufficient in the modern threat landscape.

Maxime describes legacy awareness initiatives as largely informational - focused on telling people about threats rather than changing their behaviors.

“We’ve done security awareness for a long time. But what we’ve seen is that it doesn’t work... we need to do more than traditional awareness.”

He traces the origins of awareness programs to an era when cybersecurity was a foreign concept to most employees.

Back then, simply knowing what a virus or phishing email was could be transformative. But times have changed.

‍

Why compliance-only thinking doesn’t cut it

Compliance requirements (while necessary) can lead to a box-checking mentality that sacrifices impact for regulation.

“You have to check the box if you want to be in business. Especially in regulated industries like banking or healthcare. But that’s not where real change happens.”

Maxime emphasizes the need to move beyond minimal compliance toward programs that actually reduce risk by influencing behavior.

‍

The shift toward behavior change

The real pivot in cybersecurity education is moving from telling to transforming... getting people to act differently, not just know more.

“Knowledge is not enough. It’s not because you know something that you will pick up a habit.”

He uses the broccoli analogy to humorous effect: people know it's healthy, but that doesn’t mean they eat it.

Similarly, employees might know what phishing is and still fall for it.

‍

Measuring what matters: Behavior, not just knowledge

Maxime outlines a framework to measure the effectiveness of human risk programs using four dimensions:

• Knowledge – “Do they know the right answer in a quiz?”
• Behavior – “Do they report suspicious messages? Do they use strong passwords?”
• Attitudes – “Do people feel cybersecurity is supported in their team? Do they talk about it?”
• Engagement – “How many people show up to events, view training videos, or take part in gamified experiences?”

‍

BJ Fogg’s B=MAP model in practice

Behavioral change happens when motivation, ability, and a prompt come together.

Maxime explains how he’s implemented Stanford professor BJ Fogg’s behavior model in real-world security programs.

“We saw that people trained with Hoxhunt were six times less likely to click and seven times more likely to report phishing compared to their peers.”

This success comes from combining engaging rewards (motivation), easy-to-use tools like a phishing report button (ability), and phishing simulations (prompts).

‍

Positive reinforcement over fear

Maxime strongly advocates for creating a positive security culture.

Fear-based approaches damage psychological safety, discourage openness, and create resistance.

“Focusing on click rates means we focus on failure. That can be damaging to psychological safety, which is a core component of a strong security culture.”

Instead, successful programs focus on success rates - how many people are actively reporting threats - and reward that behavior.

‍

Phishing: Still the #1 human risk

Despite evolving threats, phishing remains the top attack vector in most breaches.

“It’s not sexy. It’s not AI. But phishing via email is still the number one most common threat vector.”

Maxime recommends focusing on phishing-related behaviors first - like verifying senders and promptly reporting suspicious emails - before tackling less frequent risks.

‍

Cultural hacks and security mascots

One of the most memorable parts of the episode was Maxime’s story about creating fun and relatable branding around cybersecurity at H&M, where they introduced animal mascots to reinforce different security themes.

“We started with a pug in a unicorn costume for social engineering. People loved it. They shared it on internal socials, and we even made plushies.”

These efforts created engagement and made cybersecurity approachable and even fun... a far cry from the traditional dry, compliance-heavy training.

‍

The power of relationships in incident response

Eliot shares a personal story about being involved in a real security incident.

Thanks to his strong relationship with the security team, the issue was quickly identified and resolved.

“Had I avoided our security director or been afraid to speak up, that situation could’ve escalated. Trust made all the difference.”

Maxime reinforces that point:

“We can’t just do training in isolation. It’s about building trust between people and the security team.”

‍

Staying ahead of threats in the age of AI

Maxime discusses the importance of dynamically updating training based on real-time threat intelligence.

For example, after seeing a spike in QR-based phishing attacks, Hoxhunt immediately launched a simulation campaign reaching over 500,000 users.

“We see threats as they emerge. And our training content evolves accordingly - often within days or hours.”

‍

Final thoughts: It’s about impact, not just activity

“In the end, what you want is to show your impact. We’re not just training to train. We want to reduce real risk.”

This ethos - translating awareness into behavior, and behavior into culture - is the heart of the new generation of human risk management.