All Things Human Risk Management

Your Security Awareness Program Has Plateaued - What Happens Next?

Episode #12 Many security awareness programs eventually hit a plateau. Training completion rates look healthy. Phishing numbers aren’t terrible. But progress stalls. Engagement drops. And leadership starts asking a difficult question: are we actually changing behavior? In this episode, Eliot is joined by Anthony Davis [https://www.linkedin.com/in/infosecant], a security awareness leader with more than a decade of experience building and running programs across major UK retailers. Together they unpack why awareness programs plateau and what practitioners can do to restart momentum. They explore the warning signs that a program has gone stale, why compliance-driven training often fails to change behavior, and how awareness teams can move beyond annual training toward continuous engagement and real behavioral metrics. If your awareness program feels stuck - or your metrics haven’t moved in months - this episode offers a practical playbook for getting things moving again. What you’ll learn in this episode: * How to recognize when your security awareness program has plateaued * Why high training completion rates don’t necessarily mean behavior change * The biggest design flaws that cause awareness programs to stall * Why phishing reporting is a stronger metric than completion rates * How to connect awareness programs with SOC insights and real threat data * Why annual training alone rarely drives lasting behavior change * How storytelling and relevant examples improve engagement * Practical steps to restart momentum in a stagnant awareness program Timestamps: (01:03) Introducing Anthony Davis and his background in awareness programs (02:25) Early signals your program has stopped improving (04:00) How long to wait before intervening when metrics stall (05:05) Is a plateau caused by culture, content, or systems? (09:20) Why engagement and communication frequency matter (15:10) Behavior change vs policy and compliance training (30:00) Why mandatory annual training often fails to change behavior (39:05) Is annual security awareness training fundamentally flawed? (52:00) What high completion rates but low behavior change really mean (54:20) Why phishing reporting is one of the best behavior metrics (57:00) Turning real threats into targeted awareness messaging (59:00) Connecting awareness programs with SOC insights (01:01:30) One action every awareness team should take to break a plateau Host links: * Eliot Baker: ⁠⁠https://fi.linkedin.com/in/eliotebaker⁠⁠ [https://fi.linkedin.com/in/eliotebaker] * Anthony Davis: https://www.linkedin.com/in/infosecant [https://www.linkedin.com/in/infosecant] **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠⁠ [https://hoxhunt.com/] is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

The Ethical Guide to Security Storytelling: Navigating Real Breaches with Care and Respect

Episode #11 Using real breach stories in security training works... but only if you do it ethically. Real incidents make threats feel concrete, cut through “this would never happen to me” thinking, and drive behavior change. But they also carry real risk: victim-blaming, fearmongering, reputational harm, and loss of trust if handled poorly. In this episode, Noora is joined by David Badanes [https://www.linkedin.com/in/dbadanes/] (Human Risk Management advisor) to unpack ethical security storytelling: how to use real breaches responsibly, where the line is, and how awareness teams can turn incidents into learning without becoming the villain. They break down why real stories outperform generic examples, what not to include when telling breach stories, how to operationalize ethical review with limited resources, and how empathy is the key to changing security behavior. What you’ll learn in this episode: * Why real breach stories are more effective than made-up examples in security training * Where ethical security storytelling goes wrong and how to avoid victim blaming * How to decide whether a real breach is appropriate to use in training * What awareness managers should include (and exclude) when telling real incident stories * How to operationalize ethical review without heavy legal or HR overhead * Why empathy drives better security behavior than fear-based messaging * How to measure whether ethical storytelling is actually changing outcomes * How cultural context affects cybersecurity storytelling in global organizations Timestamps: (00:00) Why use real breach stories in security awareness training at all (00:15) How do real incidents change employee behavior better than generic warnings? (01:18) Who is David Badanes and why ethical storytelling matters now (02:21) Why do real breach stories work better than fictional examples (03:40) What are the ethical risks of using real cyber incidents in training (05:03) What does ethical security storytelling actually look like?(08:27) How should awareness managers choose what parts of a breach to include (09:24) How do you operationalize ethical review with limited time and resources? (27:10) How does culture change what’s considered ethical security storytelling? (31:36) What good ethical storytelling achieves and what it avoids Host links: * Noora Ahmed-Moshe: https://www.linkedin.com/in/noora-ahmed-moshe [https://www.linkedin.com/in/noora-ahmed-moshe] * David Badanes: ⁠https://www.linkedin.com/in/dbadanes [https://www.linkedin.com/in/dbadanes] **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠⁠ [https://hoxhunt.com/] is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

The Attacks Getting Through Your Filters (and How AI Is Scaling Social Engineering)

Episode #10 Email security filters have never been better... and yet attackers are still getting through. In this episode, host Eliot is joined by Petri Kuivala [https://www.linkedin.com/in/petrikuivala?originalSubdomain=fi](CISO advisor) and David Badanes [https://www.linkedin.com/in/dbadanes/] (Human Risk Management advisor) to break down what actually makes it past modern defenses, based on analysis of 400,000 real attacks reported by users - not simulations, not theory. They unpack how generative AI didn’t invent new attack types, but dramatically scaled social engineering, why perfect grammar is now a warning sign, how MFA is being bypassed via session hijacking, and why humans remain one of the most effective detection layers when systems fall short. What you’ll learn in this episode: * Why phishing emails still get through secure email gateways and which attacks filters miss most often * How AI is scaling social engineering through volume, personalization, and speed (not magic) * Why “better language” and polished branding can now be stronger phishing signals * How attackers bypass MFA using attacker-in-the-middle tooling and stolen session tokens * Why QR codes, voicemail (vishing), and non-email channels are becoming more effective * Real-world examples of deepfake voice and impersonation attacks — and where the risk is heading * What 400,000 real attacks reveal about human detection versus automated controls * Why good training works — and how reporting behavior changes the economics of attacks * What security teams should focus on when filters, MFA, and signatures aren’t enough Timestamps: (00:00) Why do phishing emails still get through secure email filters? (03:20) What do real-world phishing attacks actually look like today? (06:40) How is AI changing phishing and social engineering attacks? (10:10) How can you spot AI-written phishing emails? (13:30) How do attackers bypass MFA and steal session tokens? (17:40) What is quishing, and why do QR code attacks work? (19:20) How does vishing work and why are voice phishing attacks increasing? (21:10) How are deepfakes used in real cyber attacks? (25:40) Can humans really detect phishing better than security tools? (29:10) Does security awareness training actually work against modern phishing? (33:00) What does the future of AI-driven spear phishing look like? Resources: * Threat Intelligence Report 2025: Tactics, Trends & Risks: https://hoxhunt.com/guide/threat-intelligence-report [https://hoxhunt.com/guide/threat-intelligence-report] Host links: * Eliot Baker: ⁠https://fi.linkedin.com/in/eliotebaker⁠ [https://fi.linkedin.com/in/eliotebaker] * David Badanes: ⁠https://www.linkedin.com/in/dbadanes [https://www.linkedin.com/in/dbadanes] * Petri Kuivala: https://www.linkedin.com/in/petrikuivala [https://www.linkedin.com/in/petrikuivala/] **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠ [https://hoxhunt.com/] is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

Does Security Awareness Training Even Work? Fixing the Flaws Behind “Training Fails” Headlines

Episode #9 “Security awareness training doesn’t work” makes for a punchy headline. But is the problem training itself - or the way most organizations still run compliance-driven, once-a-year programs? In this episode, host Eliot Baker sits down with global security awareness leader David Badanes [https://www.linkedin.com/in/dbadanes] to dissect the latest “training fails” narratives (especially the UC San Diego study amplified by the Wall Street Journal) and contrast them with what actually works in high-performing human risk programs. They break down the three failure modes of legacy awareness (content, cadence, culture), show how to rebuild around behaviour change and reporting, and give you language to push back when executives show up with the latest “training doesn’t work” article in hand. What you’ll learn in this episode: * The three failure modes of legacy awareness programs: broken content, broken cadence, and broken culture. * Why annual modules and quarterly cookie-cutter phishing tests create “security tourism,” not real habit change. * How to rebuild around role-based, adaptive, micro-learning paths that challenge people at the right level. * Where gamification, rewards, and opt-in “spicy mode” simulations help and where they can blow up trust. * Why click/failure rate is a weak north star, and how to use resilience ratio, time-to-report, and real-phish-to-sim-phish pipelines instead. * How to embed “stop work authority” into digital life so employees can safely slow down urgent requests across email, Teams, Slack, WhatsApp, and SMS. * What the UC San Diego / WSJ study got right about bad training, where the methodology falls short, and how to brief your leadership on it. * The qualitative signals that a culture-first awareness program is working (water-cooler conversations, proactive reporting, and cross-functional pull from finance, M&A, and beyond). Timestamps: (00:00) Why “training doesn’t work” headlines keep coming back (02:00) Content, cadence, and culture: three failure modes of awareness (04:30) From “security tourism” to continuous skill building (06:30) Rebuilding the model: people, process, then technology (09:00) Role-based and adaptive paths (and where AI actually helps) (11:00) Gamification, leaderboards, and avoiding public shaming (14:00) Opt-in “spicy mode,” emotional reactions, and handling backlash (19:00) Phishing beyond email: Teams, Slack, WhatsApp, SMS and more (21:00) Stop work authority: slowing down urgent requests without blame (22:00) Why failure rate is not your north star metric (24:00) Resilience ratio, time-to-report, and protecting your colleagues (26:00) Tying recognition and performance reviews to cyber-safety behaviour (28:00) Handling repeat clickers without creating fear and avoidance (33:00) The UC San Diego / WSJ study: what it got right and wrong (36:00) What “good” looks like when training actually works Resources: * Wall Street Journal coverage of the UC San Diego cybersecurity training study: https://www.wsj.com/tech/cybersecurity/cybersecurity-training-study-f290518d [https://www.wsj.com/tech/cybersecurity/cybersecurity-training-study-f290518d] * Our take on the WSJ article: https://hoxhunt.com/blog/the-wall-street-journal-got-it-wrong-phishing-simulations-work-when-done-right [https://hoxhunt.com/blog/the-wall-street-journal-got-it-wrong-phishing-simulations-work-when-done-right] Host links: * Eliot Baker: https://fi.linkedin.com/in/eliotebaker [https://fi.linkedin.com/in/eliotebaker] * David Badanes: https://www.linkedin.com/in/dbadanes [https://www.linkedin.com/in/dbadanes] **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠ [https://hoxhunt.com/] is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

State of Phishing 2025: Why SVGs Spiked (and What Still Works)

Episode #8 Security leaders don’t need more headlines - they need inbox reality: what bypasses filters, what people click, and where to train next. In this episode, host Eliot Baker sits down with Maxime Cartier [https://www.linkedin.com/in/maximecartier/], Hoxhunt’s Head of Human Risk Management, , to unpack the State of Phishing 2025: why SVG attachments spiked, what still works, how the Microsoft vs. Google stack changes the threat mix, and the training moves that actually change behavior. What you’ll learn in this episode: * Why SVGs surged: “image-as-code,” how attackers weaponize it, and a typical kill chain. * What still works: PDFs/HTML + DocuSign, HR, and fake voicemail lures. * Inbox layer > filter layer: focus on what reaches people, not what got blocked. * Microsoft 365 vs. Google Workspace: different lure patterns, different coaching. * Metrics that matter: report rate and time-to-report vs. legacy completion stats. * “Report > Don’t Click”: building a high-signal reporting culture without blame. * Verification tactics: quick cross-channel checks that prevent costly clicks. * Program design: simulate what’s bypassing now and coach with instant feedback. Timestamps: (00:38) The Cost and Prevalence of Phishing in the Age of AI (02:11) Good News in Cybersecurity Reports (03:25) The Importance of Effective Security Training (06:34) AI's Role in Scaling Phishing Attacks (08:15) Deep Dive into AI-Generated Phishing (13:37) AI in Personalized Spear Phishing (16:52) The Threat of DeepFakes (18:16) Real-World Examples of DeepFake Attacks (25:00) Spotting DeepFakes: Tips and Tricks (27:32) Phishing: The Dominant Threat (28:51) Top Phishing Trends for 2025 (38:38) Industry-Specific Threats and Insights (42:16) Innovative AI Solutions for Cybersecurity Resources: * SVG Phishing Email Attachments (Mini-Report 2025): https://hoxhunt.com/blog/svg-phishing-email-attachments-mini-report * Our guide to deepfake training: https://hoxhunt.com/blog/deepfake-attacks Host links: * Eliot Baker: https://fi.linkedin.com/in/eliotebaker [https://fi.linkedin.com/in/eliotebaker] * Maxime Cartier: https://se.linkedin.com/in/maximecartier [https://se.linkedin.com/in/maximecartier] **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠ [https://hoxhunt.com/] is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.