Addressing Employee Threat Reporting Gaps, Static Training Limitations, and AI-Driven Approaches to Reducing Human Risk
Published
Key Takeaways
- Aalto argues that people are not the problem. Risk often stems from behaviors that can be measured, coached, and improved.
- The focus should be on improving outcomes rather than assigning blame when employees interact with phishing attacks.
- Timely micro-learning moments create far more engagement and long-term behavior change.
- Hoxhunt has found AI helping organizations analyze behavioral security data and offer targeted interventions.
- Silence is not the same thing as security, and so organizations should measure who recognizes, reports, and helps stop threats.
Mika Aalto, CEO and Co-Founder of Hoxhunt, discusses why training completion and phishing failure metrics do not reflect real security outcomes and how to better understand human risk. Aalto is a technology entrepreneur with over 20 years of experience in machine learning, behavioral analytics, and software development.
Silence, he warns, should not be confused with security. An employee who does nothing may look "safe" in the metrics, but during a real attack, you don't know whether they'll recognize and report it.
Just because employees are not clicking phishing links doesn't mean they are helping defend the organization. He highlights where organizations struggle to change the behavior of repeat phishing clickers due to flawed traditional awareness training.
Aalto also observes that many programs measure failures but ignore positive behaviors such as reporting suspicious emails. He encourages organizations to foster an environment where employees feel safe and recognized for reporting suspicious activity.
Vishwa: If most breaches start with people, what do security teams miss about human risks?
Mika: One of the biggest misconceptions in cybersecurity is the idea that people themselves are the problem. In reality, most incidents stem from risky behaviors that result from insufficient training and communication.
We didn’t evolve to perceive danger in the online environment as we did in the jungle. Digital self-preservation skills must be acquired through the habitualization of safe online behaviors.
Once identified and contextualized, these risky behaviors can be measurably influenced, coached, and improved at organizational scale. Human Risk Management requires a behavior-based approach.
Security teams need visibility into the actions that actually cause and reduce risk: whether employees can recognize and report phishing threats, follow secure AI usage policies, escalate suspicious activity quickly, and improve those behaviors over time.
When organizations focus on measurable behavioral outcomes, they can drive genuine security culture transformation rather than simply checking compliance boxes. What’s exciting is that organizations now have access to a huge amount of behavioral security data.
We worked with Uber on a CSO Award-winning program that combined behavioral signal data with their training program. With AI, that data can be used to identify risk patterns in real time and deliver personalized nudges or micro-trainings exactly when risk is occurring.
Even this year’s Verizon DBIR, which we participated in as a research partner with Verizon, reflects that many security failures, including patching delays and vulnerability management gaps, are often behavioral and operational challenges as much as technical ones.
Human Risk Management is ultimately about helping people make better security decisions more consistently across the organization. The people responsible for patching are employees too. This creates a major opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams.
We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organization.
Vishwa: When users repeatedly struggle with phishing simulations, what might help without creating blame or fatigue?
Mika: Reforming repeat offenders has been one of the Holy Grails of cyber risk reduction since the advent of phishing. And for good reason: Cyentia research has shown that 80-90% of incidents come from a small subset of the user population, under 5% of employees, who seem to click on everything.
But guess what? That is really reflective of how poorly designed the traditional, static awareness training model is at reaching people where they’re at and taking them to where they need to be.
We worked with Qualcomm and helped their riskiest, repeat-clicking thousand employees become twice as high-performing as their 30,000 other colleagues within 6 months of adopting a behavior-based, personalized phishing training model. - Mika Aalto, Co-Founder and CEO of Hoxhunt
We had similar results with LyondellBasell, and many others. The trick is getting people personalized security awareness and phishing training that adapts to their roles and skill levels as they change over time.
AI makes personalization possible at any scale, if the platform is good. Our approach to earning long-term, voluntary engagement with security training is deeply rooted in game design principles.
Without trivializing the subject, we make learning and interacting with cybersecurity as rewarding as playing a game. People will stay engaged and continue to build their knowledge and skills when they feel they are being challenged at the edge of their skill level.
So the best way to sustain engagement and continuously build cyber self-defense skills against a rapidly evolving threat landscape is to reward good behaviors with digitally induced dopamine hits and gently coach away risky behaviors with the same positive-psychology user experience.
Vishwa: What security behavior changes do organizations often try to drive in employees, that don’t work as expected? What are the likely causes?
Mika: Too many organizations still approach phishing awareness through fear and punishment. They run “gotcha” phishing simulations, obsess over failure rates, and treat bad clicks as the primary measure of human risk.
The problem is that this creates a narrow and incomplete view of security behavior while discouraging active participation from employees who would otherwise be security assets but are limited by fear of making mistakes or reporting suspicious activity.
Focusing primarily on failure also limits learning opportunities. In many traditional programs, employees only receive feedback after a bad outcome, which means the organization is reinforcing failure rather than strengthening successful security behaviors.
The most effective programs instead focus on the behaviors they want to grow:
- Recognizing suspicious activity,
- Reporting threats quickly,
- Following secure workflows, and
- Participating actively in the organization’s security culture.
- Positive reinforcement
- Adaptive training
- Gamification, and
- Timely micro-learning moments create far more engagement and long-term behavior change than punitive approaches alone.
Ultimately, organizations should aim to turn employees into active participants in cyber defense, not passive compliance users.
When people feel psychologically safe and rewarded for contributing, they become an extension of the security team: identifying threats that bypass technical controls, accelerating incident response, and strengthening organizational resilience at scale.
Vishwa: What intervention do you suggest for ‘silent users’or employees who don’t interact with threats but also don’t report them?
Mika: Stop treating security awareness as a punitive exercise and start treating it as a performance issue and as a behavior design challenge.
- Employees will seek to avoid interactions with a punitive program for fear of getting into trouble.
- This effectively encourages apathy and discourages learning and engagement.
- Employees are far more likely to report threats when they feel psychologically safe, recognized for good behavior, and confident they won’t be punished for making mistakes or raising false alarms.
- That’s why positive reinforcement matters so much in Human Risk Management.
- The behaviors you reward are the behaviors that grow.
Organizations should actively celebrate and incentivize reporting behavior through
- Recognition programs,
- Gamification,
- Leaderboards,
- Team competitions, or
- Even small branded rewards that make participation feel visible and valued.
- The goal is to create a culture where employees see themselves as active contributors to security, not passive compliance participants.
AI also creates an opportunity to personalize this experience at scale. Different employees disengage for different reasons, so training and interventions should adapt accordingly.
By combining AI with game and behavioral design principles, organizations can deliver the right nudges, micro-trainings, and encouragement at the right moment, making security feel
- approachable,
- collaborative, and
- even enjoyable rather than intimidating.
The organizations seeing the strongest results today are the ones building trust and engagement, not fear.
Vishwa: Does training completion create a false sense of security? What signals suggest a human-risk program is not as effective?
Mika: No question. One of the biggest problems in traditional security awareness is that organizations mistake activity metrics for risk reduction.
Training completion rates and low failure rates can create a dangerous false sense of security if they exist in isolation from behavioral participation data.
Completing training only tells you how effectively an employee can click through some reading multiple-choice questions. It doesn’t tell you much about their cyber skill level, or susceptibility to an attack.
Usually, high failure rates ranging from 15-50% on a phishing benchmark test will light fire under security leadership to adopt a better training model. But this is still a flawed approach because when you’re only looking at failure rates in isolation, even a low failure rate within a low overall participation rate context will create a false sense of security.
If only 10–20% of employees actively report threats, a “good” phishing failure rate below 6% tells you very little about the true resilience of the organization because you still don’t know how most employees will behave during a real attack.
Silence is not the same thing as security. Organizations need to measure not only
- who fails, but
- who successfully recognizes, reports, and helps stop threats.
Strong Human Risk Management programs focus on outcome-driven metrics tied to real behavior:
- Threat reporting rates,
- Reporting speed,
- Engagement with adaptive training,
- Improvement over time, and
- Participation across the organization.
Many programs plateau because they optimize for compliance activity instead of continuously strengthening human resilience against evolving attacks.
The organizations making the most progress today are using behavioral data and AI-driven personalization to adapt training continuously, reinforce positive security behaviors, and identify pockets of concentrated risk before they turn into incidents.
Vishwa: Does AI have an impact on distinguishing between careless behavior and genuinely sophisticated attacks?
Mika: It can, but the more important question is why that distinction matters in the first place. Security programs have historically focused too much on assigning blame instead of improving outcomes.
Whether an employee clicked because they were distracted during a busy workflow or because they encountered a highly sophisticated AI-generated phishing attack, the real goal should be building a reflexive culture of reporting and rapid response.
We want the lessons learned during training to carry over into real-world behavior, where employees feel comfortable reporting anything suspicious without fear of punishment. AI can absolutely help here.
- It allows organizations to analyze attack sophistication at scale by evaluating factors like
- social engineering complexity,
- kill-chain depth,
- impersonation quality, and
- behavioral patterns across campaigns.
- AI can also personalize simulations and micro-training to strengthen weak spots over time.
But equally important, AI helps security teams operationalize reporting itself. If employees are encouraged to report more threats, organizations need automated triage and response systems capable of quickly categorizing reported emails as
- Spam,
- Benign internal traffic, or
- Active malicious campaigns
- So analysts are not overwhelmed by volume
The strongest Human Risk Management programs combine seamless reporting workflows, adaptive AI-driven training, and automated response capabilities to create a continuous feedback loop where both employees and defenders improve together.
Vishwa: Are there behavioral signals or actions that help understand users who may be more exposed to phishing?
Mika: Absolutely. Behavioral signal-based Human Risk Management is where the industry is heading because it gives organizations a much more complete picture of risk than phishing failure rates alone.
Modern security teams can now measure signals such as
- threat reporting behavior,
- MFA adoption,
- password hygiene,
- unsafe data sharing practices,
- use of unauthorized AI tools,
- risky browser behavior,
- removable media usage, and
- adherence to security policies.
- When these behavioral signals are combined with
- phishing simulation and
- real threat reporting data
- organizations can identify where risk is concentrated and intervene much earlier.
- When these behavioral signals are combined with
What’s powerful is not just collecting the data but operationalizing it. Leading organizations are increasingly using behavioral signals to trigger adaptive nudges, micro-trainings, and targeted interventions in real time.
Uber’s CSO Award-winning Human Risk Management program is a strong example of this shift. Rather than relying on static annual awareness training, Uber worked with Hoxhunt to build a signal-driven model powered by telemetry from across their environment.
That allowed them to deliver highly personalized interventions and adaptive phishing simulations at scale to roughly 25,000 employees while making human risk measurable and actively manageable by a relatively small team.
The broader lesson is that human risk cannot be understood through isolated events like clicks alone. Organizations need continuous visibility into how employees
- behave across workflows,
- tools,
- communication channels, and
- real-world threat scenarios
With AI, these behavioral insights can now be analyzed and acted on continuously, helping security teams move from reactive awareness programs toward adaptive systems that strengthen resilience over time.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular