What Happens When Users Keep Failing? And Should We Punish Them?

In this episode of the Human Risk Management Podcast, Eliot Baker sits down with Noora Ahmed-Moshe, VP of Strategy and Operations at Hoxhunt, to unpack one of cybersecurity’s most polarizing dilemmas: what should be done with repeat offenders in phishing simulations?

Together, they dissect why punitive responses to failure often undermine long-term security goals - and explore the behavioral science behind why people actually change.

‍

The failure of fear-based training

‍Many organizations default to punishment - mandatory training, public shaming, even termination - for repeated phishing test failures.

Noora argues that this approach is not only ineffective, but actively damaging to morale, culture, and security outcomes.

“Punishment may scare people straight for a moment. But it doesn’t change attitudes. It doesn’t scale. And it kills engagement.”

‍

Why fear doesn’t create secure behavior

‍Punitive programs backfire because they rely on extrinsic pressure, not intrinsic motivation.

Fear leads to concealment, disengagement, and reduced reporting - exactly the opposite of what a healthy security culture needs.

“What happens when someone gets fired for a phishing fail? People stop engaging. They stop clicking. And they stop reporting.”

‍

Positive reinforcement: What actually works

Noora draws on behavioral science to explain why reward-based models outperform punitive ones across species - from rats to employees.

Gamification, recognition, and psychologically safe environments consistently outperform punishment in driving sustainable behavior change.

“People change when they understand, when they’re motivated, when they’re rewarded. Not when they’re scared.”

‍

Understanding repeat clickers: They’re not all careless

Not every repeat offender is negligent. Some are curious. Some are uninformed. Some are unaware they’re being targeted.

Noora shares examples of companies who reduced their “repeat clicker” populations by 90% - not with threats, but by digging into root causes and adjusting training accordingly.

“Seek first to understand. Then to be understood.”

‍

When one-size-fits-all fails‍

Effective programs adapt. Noora explains how personalization - by geography, role, or motivation - can unlock dramatic improvements in behavior.

One standout case: a Fortune 100 company turned its most notorious offender into a security champion simply by offering them a sandbox to explore phishing safely.

“You can’t scare someone into caring about security. But you can connect it to what matters to them.”

‍

Deterrence doesn’t build culture

Fear-based deterrence might reduce clicks, but it increases hidden risk. It discourages disclosure and cultivates distrust.

“You don’t want employees to avoid getting caught. You want them to want to do the right thing even when no one’s watching.”

‍

HR’s role: Culture builders, not punishment enforcers

Should HR be involved with repeat failures? Only if they’re supporting psychological safety... not enforcing penalties.

“HR should be helping build a positive culture, not acting as the disciplinary arm of security.”

‍

The optics of leniency and how to beat them

Some leaders worry that removing punishment makes them look weak.

But Noora counters that the real signal of strength is data. She cites the case of Qualcomm’s group of serial clickers who, after three months on a positive training path, outperformed the rest of the company on every metric.

“Don’t argue with feelings. Show results. Show that behavior-based training actually works.”

‍

Final thoughts: Respect, reward, and results

Noora’s message is clear: believe in people. Respect their time. Speak their language.

Security doesn’t need to be feared. It needs to be embraced. And that requires ditching the stick in favor of smarter carrots.

“If you were learning something you didn’t care about, would you want to be punished or engaged?”