What Happens When Users Keep Failing? And Should We Punish Them?

Episode #3

Should We Punish Employees for Security Mistakes?

Eliot is joined by Noora Ahmed-Moshe VP of Strategy & Operations, Hoxhunt) for a discussion on one of cybersecurity’s most divisive questions: should repeat offenders in training programs be punished... or is there a better way?

Leveraging on behavioral science, real-world case studies, and Noora’s global experience advising security leaders, this episode breaks down the flawed logic behind punitive training and surfaces more effective, scalable alternatives.

Here’s what you’ll learn in this episode:

• Why punishment-based training strategies often backfire and how they can destroy psychological safety

• How to understand the psychology of repeat clickers and uncover hidden motivations

• What neuroscience and behavioral science say about fear vs. positive reinforcement in learning

• How real organizations shifted from punitive to positive - and saw massive gains in threat reporting and engagement

• Why individualized, adaptive training paths outperform one-size-fits-all models

• What to do when even your best-designed training isn’t working for a small subset of users

• The unintended consequences of using HR as a disciplinary tool in security awareness programs

• How to counter the “optics of leniency” argument with data and outcomes

This isn’t about being soft. It’s about being strategic. If your goal is measurable, sustainable behavior change - this episode is essential listening.

Timestamps:

• (00:00) Introduction to the Podcast
• (00:30) Setting the Scene: The Dilemma of Punishing Employees
• (01:20) Understanding Behavior Change
• (03:08) The Pitfalls of Punitive Approaches
• (05:08) Real-World Consequences of Fear-Based Strategies
• (07:26) Exploring Positive Reinforcement
• (11:22) Addressing Repeat Offenders
• (37:05) The Role of HR in Security Training
• (40:42) The Importance of Psychological Safety
• (48:05) Final Thoughts and Summary

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠

Resources:

• A short guide to effective security behavior change: https://hoxhunt.com/blog/cybersecurity-behavior-change

  Qualcomm Case Study: https://hoxhunt.com/case-studies/how-qualcomm-used-targeted-security-awareness-training-for-employees

• Guide to positive vs punitive approaches: https://hoxhunt.com/blog/punitive-vs-positive-cybersecurity-awareness-training

Host links:

Eliot Baker:⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠

Noora Ahmed-Moshe:⁠ https://fi.linkedin.com/in/noora-ahmed-moshe

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠Hoxhunt⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.