Connect with us

Hi, what are you looking for?



Human Cyber-Risk Can Be Demonstrably Mitigated by Behavior Changing Training: Analysis

While traditional security awareness teaches users how to recognize social engineering, new behavior changing trains the brain on the correct recognition and response to phishing. 

Behavior Changing Anti-Phish Training

The process of encouraging secure cyber habits in end users is evolving from traditional awareness training toward changing end user behavior. It reflects a growing acceptance that traditional methods haven’t worked.

Awareness training had unsophisticated beginnings. “Mouse pads and coffee mugs that read: ‘We can’t spell S E C _ R I T Y without ‘U’,” recalls Timothy Morris, chief security advisor at Tanium. This approach improved with security teams manually sending employees simulated phishing emails, and further improved with vendor products automating, scaling, and measuring the process.

The latest approach now attempts to use neuroscience to shape an automatic good user response to anything phishy. While traditional security awareness teaches users how to recognize social engineering, new behavior changing trains the brain – almost pre-programs it – on the correct recognition and response to phishing. 

Hoxhunt belongs to this school of user security. Its latest report (PDF) focuses on how behavior changing has worked within the critical industries. It is compiled from an analysis of more than 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people (all taking part in a security behavior change program). The key takeaway is that employees within critical industries are particularly responsive to Hoxhunt’s behavior changing methodology.

The science behind the Hoxhunt platform can be related to the principles outlined by Stanford adjunct professor BJ Fogg’s ‘Tiny Habits’. It is based on short, frequent, positive ‘nudges’ controlled by an AI platform that tailors the program to deliver highly personalized learning paths to individual users. 

“Airbus is a good example of our scale,” Jeff Platon, CMO at Hoxhunt, explains. “It has 438,000 employees. They have 438,000 individual learning paths that have been built by the Hoxhunt platform. And I think we’ve conducted roughly 65 million different learning moments.”

The process is based on repeated ‘micro learning moments’ (they take between 60 and 90 seconds) that are delivered as positive reinforcement in a gamified experience. Neuroscience demonstrates that such a process changes the synapses (the junction of different nerve cells) within the brain. The result is behavior change. 

Advertisement. Scroll to continue reading.

While traditional awareness training seeks to teach users how to recognize a phish, behavior change teaches recognition and automatic correct response. Where awareness training struggles to overcome the memory and focus limitations of the human brain – described in this context by Bec McKeown, founder and principal psychologist at Mind Science, as ‘a limited capacity information processor’ – behavior changing bakes in the correct recognition and response, eliminating reliance on externally imposed memory and focus. Recognizing and correctly responding to phishing becomes something like the mythical muscle memory of the brain.

“Behavior-based engagement with phishing emails,” suggests Krishna Vishnubhotla, VP of product strategy at Zimperium, “is better than traditional security courses as it better prepares you to recognize an attack. It becomes second nature to report it, especially when it is AI-generated adaptive learning.”

The Hoxhunt analysis focuses upon the critical industries that use its platform. It finds that real threat detection runs at 65.6% in CI compared to a 60% global average. The success rate in CI is improved by 31% compared to the global average of 7%. The failure rate is reduced by 65% compared to a global average reduction of 13.2%. 

Hoxhunt summarizes these figures with what it calls the resiliency ratio. “We see critical infrastructure outperforming the global averages. We think this is best represented as them being about 50% higher than the global average,” said Platon This is the resiliency ratio. “It’s the ability to successfully detect a real attack divided by the failure rate – and critical infrastructure performs at 10.9 versus 7.2 for the global average. So, 51% better is significant.”

The only blot on CI performance is spoofed internal organizational communications, where CI’s performance is a failure rate 11.4% higher than the global average.

While it is probable that the overall behavior changing success rate within the critical industries is somewhat distorted by the pressures of greater external regulation and the awareness of increased geopolitical tensions, this success can only be welcome. Behavior changing seems to be the next logical step toward hardening the user.

Espoo, Finland-based Hoxhunt was founded in 2016 by Mika Aalto (CEO), and Pyry Avist (CTO).

Related: Security Awareness Training Isn’t Working – How Can We Improve It?

Related: Cybersecurity Training Firm Hoxhunt Raises $40 Million

Related: Vista Equity Partners to Acquire Security Awareness Training Firm KnowBe4 for $4.6B

Related: Security Awareness Training Top Priority for CISOs: Report

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...