The Future of Employee Security Awareness Behaviour and Culture Change for Enterprise Organisations

This is the first in a series of blogs showing how by changing security culture you can simply reduce human risk easily and get your employees to truly engage in your security awareness programme.


By getting your employees to report more, you have the data to ensure spear phishing business email compromise and ransomware attacks, experienced every day by your employees, can be reused virtually to hack your employee's with similar risks across the business.


By using machine learning in a positive gamified security culture, you can automate and train your employees in microseconds on the type of attacks they are likely to experience. Your employees will get truly amazing results compared to the old way of security awareness training. Here are a few examples of the three main challenges we speak to clients about every day that impact implementing a strong security culture.

  • 70% of organisations with security awareness training have had an incident caused by employee security behaviour. Awareness training alone is not reducing risk effectively enough.

There is only one way to enable increased knowledge retention using adaptive control algorithms to change security culture and enable just in time training based on real threats, we have discovered the best way is to use Adaptive Continuous Algorithms to automate the flow of learning depending on your learner’s level of knowledge.

  • Social attacks from phishing are not reported by employees.

Using gamification and employee focused techniques helps to report more potential attacks.

By making gamification training fun and engaging, you can make sure employees are rewarded by points when they report threats, and you can show how to compare their progress to other employees on the leader board

  • Employees still click on phishing emails within organisations that believe they have a good security culture. How do you prove you have minimised risk?

The industry is flooded with pop-up awareness training providers throwing around the terms “awareness”, “behaviour” and “culture” almost interchangeably. Forgetting the marketing hype, what do these terms mean to organisations looking to reduce cyber security risk?

Security Awareness simply means, “does an employee know how to behave securely?” Raising awareness does not guarantee an improvement in behaviour or a reduction in risk. Security behaviour is how people behave from a security perspective in real-life situations (e.g. do they set strong passwords?).


This is influenced by awareness, capability, attitude, cognitive process and social norms. Measuring security behaviour is a great measure of risk for known behaviours.


Ira Winkler, RSA keynote speaker explains here in his white paper the science behind behavioural change. https://www.hoxhunt.com/blog/case-study/ira-winkler-why-hoxhunt-is-unique


Awareness training alone is not reducing risk effectively enough.

Today learning is about “learning flow” and not “instruction”, helping bring learning and knowledge retention to people throughout their digital experience.


A major challenge for clients is how do you get your employees to take cyber training and retain knowledge minimising risk to your business in amongst your daily routine and daily digital distraction?


Security awareness and changing behaviour isn’t enough. It's all about security flows, changing your security culture and minimising risk to employees and the business by ensuring the right training provided to the employee is based on their job role, function and geography to minimise the impact to their working day.


Organisations are now working on the best methods to:

  • Take information on typical attacks relevant to their employee’s job role and providing just in time training to employees.

  • Explaining to their business stake holders how you can capture information from the wild and then automate the sending of phishing attacks based on their employees level of expertise.

  • Learning to use machine learning to automate the learning process positively.

  • Using the science behind automating this process and improving their programme using adaptive continuous algorithms allowing you to run the flows above on autopilot dependent on user level of knowledge.

By using a solution with adaptive continuous algorithms, they can add value to existing manual processes and provide just in time training to minimise risk.


“There is no such thing as memorizing. We can think, we can repeat, we can recall and w