All Things Human Risk Management

Hoxhunt

All Things Human Risk Management is the essential podcast for cybersecurity professionals seeking to strengthen their organization's human defenses. Get actionable insights on emerging threats, behavioral science, and data-driven training techniques to transform your employees from your biggest risk into your strongest defense.

Épisodes

  1. 27 AOÛT

    If Completion Rates Don’t Prove Anything, What Does? Why Security Programs Stall Without Real Behavior Change

    Episode #5 “We have 100% completion… but nothing’s changed.” It’s a complaint security leaders are making louder and more often. Completion rates are being called “cosmetic,” “misleading,” and “just optics” - metrics that check the compliance box but fail to reduce real human risk. In this episode, host Eliot Baker sits down with Maxime Cartier, Head of Human Risk at Hoxhunt, to unpack what organizations are getting wrong about measurement and what the most mature programs are doing instead. Drawing from Maxime’s recent insights at the SANS Security Awareness Summit, this conversation cuts through outdated KPIs and explores what actually signals behavioral change. You’ll hear what practitioners are building in the real world, how to bring leadership along without losing them in complexity, and how to measure success beyond tick-box numbers. This isn’t theoretical - it’s tactical guidance from a field that’s evolving fast. What you’ll learn in this episode: Why 100% training completion doesn’t mean behavior has changed How to spot “vanity metrics” and what to replace them with Why security programs are borrowing measurement models from public health and road safety What early signals suggest real change (even before risk metrics improve) How to make behavioral metrics land with your board, not just your CISO Timestamps: (00:52) Maxime Cartier's Conference Insights (02:16) The Problem with Training and Behavior Change (03:40) The Misleading Nature of Completion Rates (07:05) Advanced Metrics and Dashboards (12:48) Behavioral Change and Public Health Parallels (16:59) Early Indicators of Behavior Change (19:39) Moving Beyond Compliance: Internal Buy-In (35:43) The Power of Storytelling in Metrics Resources: Our guide to the essential metrics you should be measuring: https://hoxhunt.com/blog/4-essential-phishing-metrics Hoxhunt's HRM playbook: https://hoxhunt.com/guide/human-risk-management-playbookBird & Bird case study: https://hoxhunt.com/case-studies/bird-bird-cybersecurity-rules-in-favor-of-the-hoxhunt-human-risk-management-platform Host links: Eliot Baker:⁠⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠⁠ Maxime Cartier:⁠ ⁠https://www.linkedin.com/in/maximecartier **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠⁠Hoxhunt⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

    41 min

  2. 22 JUIL.

    AI Phishing Attacks Now 24% More Effective Than Humans: Here’s How to Fight Back

    Episode #4 AI might be transforming cybersecurity… but not always in the way vendors want you to believe. In this episode, Eliot Baker sits down with Hoxhunt CTO and Co-founder Pyry Åvist to expose what’s actually happening at the front lines of the AI-powered phishing threat. No speculation. Just real research, real data, and real implications for your defense strategy. Together, they unpack how Hoxhunt’s research team built and tested agentic AI spear phishing agents and what happened when those AI-generated attacks went head-to-head with elite human red teamers. The result? A 24% higher failure rate for AI phishing emails, across 50,000+ real-world simulations. This is more than just a stat. It’s a signal: AI threats are getting smarter, faster than most training programs can adapt. This episode is both a behind-the-scenes look at the largest AI phishing benchmark ever run and a tactical guide for what to do next. Here’s what you’ll learn in this episode: How AI spear phishing attacks crossed a key threshold in spring 2025 and why that changes everythingWhy traditional training templates and static simulations are now a liabilityWhat “agentic” AI really means and how it’s enabling scalable, personalized phishing at unprecedented speedThe common weaknesses attackers exploit (and how to pressure-test your own workforce against them)How training programs can use AI to fight back, with individualized simulation paths that actually evolve with the threat Timestamps: (00:38) Hoxhunt's AI-Powered Approach (01:13) The Evolution of AI in Phishing (02:21) AI's Dual Purpose: Good vs. Evil (04:08) The Rising Cost of Phishing (05:50) Human vs. AI in Phishing Attacks (08:45) The Skynet Moment: AI Surpasses Humans (16:15) The Future of AI in Phishing (17:55) Conclusion and Final Thoughts To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠⁠ Resources: Our research on AI phishing vs human red teams: https://hoxhunt.com/blog/ai-powered-phishing-vs-humansA breakdown of the current threat posed by AI attacks: https://hoxhunt.com/blog/ai-phishing-attacks Host links: Eliot Baker:⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠ Pyry Åvist:⁠ https://www.linkedin.com/in/pyryavist/ **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠Hoxhunt⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

    28 min

  3. 29 JUIN

    What Happens When Users Keep Failing? And Should We Punish Them?

    Episode #3 Should We Punish Employees for Security Mistakes? Eliot is joined by Noora Ahmed-Moshe VP of Strategy & Operations, Hoxhunt) for a discussion on one of cybersecurity’s most divisive questions: should repeat offenders in training programs be punished... or is there a better way? Leveraging on behavioral science, real-world case studies, and Noora’s global experience advising security leaders, this episode breaks down the flawed logic behind punitive training and surfaces more effective, scalable alternatives. Here’s what you’ll learn in this episode: Why punishment-based training strategies often backfire and how they can destroy psychological safety How to understand the psychology of repeat clickers and uncover hidden motivations What neuroscience and behavioral science say about fear vs. positive reinforcement in learning How real organizations shifted from punitive to positive - and saw massive gains in threat reporting and engagement Why individualized, adaptive training paths outperform one-size-fits-all models What to do when even your best-designed training isn’t working for a small subset of users The unintended consequences of using HR as a disciplinary tool in security awareness programs How to counter the “optics of leniency” argument with data and outcomes This isn’t about being soft. It’s about being strategic. If your goal is measurable, sustainable behavior change - this episode is essential listening. Timestamps: (00:00) Introduction to the Podcast(00:30) Setting the Scene: The Dilemma of Punishing Employees(01:20) Understanding Behavior Change(03:08) The Pitfalls of Punitive Approaches(05:08) Real-World Consequences of Fear-Based Strategies(07:26) Exploring Positive Reinforcement(11:22) Addressing Repeat Offenders(37:05) The Role of HR in Security Training(40:42) The Importance of Psychological Safety(48:05) Final Thoughts and Summary To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠ Resources: A short guide to effective security behavior change: https://hoxhunt.com/blog/cybersecurity-behavior-change Qualcomm Case Study: https://hoxhunt.com/case-studies/how-qualcomm-used-targeted-security-awareness-training-for-employees Guide to positive vs punitive approaches: https://hoxhunt.com/blog/punitive-vs-positive-cybersecurity-awareness-training Host links: Eliot Baker:⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠ Noora Ahmed-Moshe:⁠ https://fi.linkedin.com/in/noora-ahmed-moshe **** All Things Human Risk Management is a Hoxhunt Original Podcast. ⁠Hoxhunt⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

    50 min

  4. 23 MAI

    Missed RSA 2025? Here’s What Cybersecurity Experts Are Really Talking About

    Episode #2 RSA 2025 was full of AI claims - but what were security leaders really worried about? Eliot is joined by ⁠Noora Ahmed-Moshe⁠ (VP of Strategy, Hoxhunt) for a no-spin debrief on RSA 2025. With AI hype at full volume and booth gimmicks ranging from goats to deepfake demos, it’s easy to miss the real signals in the noise. Eliot and Noora cut through the chaos to unpack what security leaders were actually focused on - and what it means for your strategy. Drawing from hundreds of in-person conversations across the conference floor, they surface the real fears, needs, and shifts happening in the security community. This isn't a recap of vendor taglines - it's a pulse check on how defenders are thinking, what they're struggling with, and where the field is heading next. Here’s what you’ll learn in this episode: How agentic AI is shifting from abstract risk to tactical threat - fastWhy vishing and deepfake audio are already operational threats, not future hypotheticalsWhat CISOs are really saying about the limitations of checkbox security awarenessHow governments are quietly moving beyond compliance toward measurable risk reductionWhy “AI-powered” marketing claims are falling flat—and how real buyers are filtering signal from fluffTimestamps: (00:24) Overview of RSA 2025 (00:51) Hoxhunt Cyber News Roundup (02:02) Verizon DBIR 2025 Insights (03:12) Generative AI Risks and Third-Party Vulnerabilities (03:52) NIST 2 Directive in the EU (04:57) Experiences at RSA 2025 (05:48) The Human Element at RSA (06:50) AI Dominates RSA Conversations (09:04) Challenges and Themes in Cybersecurity (12:44) Agentic AI and Its Implications (15:13) Deepfakes and Vishing Concerns (16:38) Omnichannel Phishing Threats (17:21) Positive Conversations at RSA (18:46) Surprising Trends and Insights (27:04) Conclusion and Final Thoughts To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠ Resources: Our research on AI phishing vs human red teams: https://hoxhunt.com/blog/ai-powered-phishing-vs-humans Guide to deepfake phishing: https://hoxhunt.com/blog/deepfake-attacks Host links: Eliot Baker: ⁠https://www.linkedin.com/in/eliotebaker/⁠ Noora Ahmed-Moshe: ⁠https://linkedin.com/in/noora-ahmed-moshe **** All Things Human Risk Management is a Hoxhunt Original Podcast. Hoxhunt⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

    27 min

  5. 26 MARS

    How to Measure Behavior Change (Moving From Awareness to Real Risk Reduction)

    Episode #1 Are your security awareness metrics actually measuring risk reduction? Or just checking boxes? Eliot is joined by Maxime Cartier (Head of Human Risk, Hoxhunt) to break down what truly works it when it comes to reducing human cyber risk. Maxime has spent close to 10 years helping organizations elevate security awareness into human-centered risk management and led security culture initiatives for a major global retailer. In this episode, he shares the metrics that actually matter when evaluating your human defense layer and practical frameworks for quantifying risk reduction across your organization. Here's what you'll learn in this episode: Why traditional metrics fail to capture real risk reductionThe measurement framework that finally proves ROI to leadershipBehavioral science secrets that transform knowledge into habitsHow top-performing organizations quantify their human defense layer Timestamps: (00:00) Introduction to the Podcast(01:08) Understanding Security Awareness(02:54)The Evolution of Security Awareness(04:51) Compliance and Security Awareness(06:49) From Awareness to Behavior Change(08:40) Measuring Security Behaviors(11:14) Real-World Examples and Anecdotes(21:44) The Importance of Reporting Rates(24:15) Positive Security Culture(38:30) Adapting to New Threats(45:13) Conclusion and Final Thoughts To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠ https://hoxhunt.com/all-things-human-risk⁠ Resources: Guide to behavior-based training: https://hoxhunt.com/blog/behavior-based-cyber-security-training4 essential metrics to start tracking: https://hoxhunt.com/blog/4-essential-phishing-metrics Host links: Eliot Baker: https://www.linkedin.com/in/eliotebaker/ Maxime Cartier: https://www.linkedin.com/in/maximecartier/ **** All Things Human Risk Management is a Hoxhunt Original Podcast. Hoxhunt is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.

    47 min
  • 5 épisodes

À propos

All Things Human Risk Management is the essential podcast for cybersecurity professionals seeking to strengthen their organization's human defenses. Get actionable insights on emerging threats, behavioral science, and data-driven training techniques to transform your employees from your biggest risk into your strongest defense.

Informations