Creating a Company Culture for Security: What Actually Works (According to 3M+ Hoxhunt Users)

You've heard it before - the human factor remains cybersecurity’s biggest challenge.

But it's also your greatest opportunity.

The Verizon Data Breach Investigations Report 2025 highlights that 60% of breaches involve the human element.

However, security teams are beginning shifting the narrative.

They're no longer seeing employees as the weakest link, but instead as active defenders against cyber threats.

Having a strong cybersecurity culture isn't about ticking boxes.

It's about making secure behaviors part of our daily routines and encouraging everyone to report suspicious activities.

This takes time, leadership, and a shift from just awareness training to real behavior change.

Below, we'll break down exactly how security teams can lay the groundwork for a sustainable security culture that results in real, tangible behavior change.

We went in-depth on measuring and changing employee behavior on the All Things Human Risk Management Podcast.

‍

Knowledge alone isn't enough

Awareness training alone just doesn't cut it anymore.

It's not because you know something that you'll change your habits. I know broccoli is healthy - but do I eat it daily? Probably not.

Traditional training methods rarely lead to measurable behavior changes.

Most people are aware about the threats. Most people know that cybersecurity is important.

So that's why we've been starting to look beyond that...

If people are already aware, then what do we need to do?

It's crucial to align three dimensions: knowledge, attitudes, and behaviors.

If you only train for knowledge, you're missing two-thirds of the equation.

Awareness alone might give employees information, but true security comes from fostering secure habits.

Comprehensive security training needs to be interactive, engaging, and regularly reinforced.

It's not enough to train for the sake of it; you need interactive training sessions that are relevant to employees' daily routines.

‍

You need motivation, ability and prompt (The BMAP Model)

At Hoxhunt, our training approach is rooted in behavioral science.

Behavior change happens when three elements align: Motivation, Ability, and Prompt.

• Motivation: Hoxhunt uses gamification (stars, badges, leaderboards) to make security training rewarding.
• Ability: Personalized difficulty levels and a one-click reporting button ensure actions are easy to complete.
• Prompt: We prompt employees regularly through engaging, timely phishing simulations that serve as reminders to act.

We need to create motivation. That's may be the most instinctive thing that we all try to do when we try to influence someone.

Hoxhunts train people in their ‘zone of proximal development’ so they’re always challenged but never overwhelmed.

By continuously refining this balance, we've seen tremendous improvement in employee participation and secure behaviors.

‍

Importance of security culture: why does it matter?

The threat landscape is always evolving. But your people can evolve faster.

Building a strong security culture is no longer optional. It’s essential - not just to reduce cyber risk or check the compliance box, but to embed secure behaviors, build trust, and build resilience across your organization.

Cybersecurity culture isn’t just a tagline or a leadership talking point. It’s not posters or annual training.

A culture of security is what your employees know, feel, and do about security.

There are three dimensions of security culture:

• Knowledge: what people know.
• Attitudes: how they feel.
• Behaviors: what they do.

If you only train knowledge, you're missing two-thirds of the equation.

And that’s why many security awareness programs fail to change the real-world behaviors.

Traditional employee training methods like eLearning and one-off compliance sessions aren’t producing measurable changes in behavior.

The real challenge? Turning knowledge into instinct.

That’s where behavior change programs come in.

As Dr Jessica Barker pointed out in our webinar on security culture: "If we go heavy on the threat but we don’t tell people what they can do about it, this could actually people go into denial. They go into avoidance. They’ll do anything they can to put their head in the sand and think, ‘This doesn’t apply to me.'”

Instead, she recommends empowering people through self-efficacy - the belief that they can positively influence outcomes. "This is far more powerful than trying to scare people with the threat."

When knowledge, attitudes and behaviors align, that’s when security stops being an IT issue and becomes a shared responsibility across the entire organization.

Yes, that takes time. It takes consistent, positive reinforcement. It takes leadership modeling secure behaviors and encouraging reporting without fear.

"If people don’t feel safe reporting, they avoid it - or worse, hide it. That’s when things spiral.” - Dr. Jessica Barker (Cybersecurity Expert & Behavioural Science Specialist)

When teams outside of security start realizing there are security elements they can influence, that’s when the culture truly shifts.

That’s how organizations scale human risk management.

Not by enforcement. Not by fear. But by creating a security-aware culture where every employee sees themselves as part of the security team.

‍

Benefits of a strong security culture

Building a robust security culture isn’t just a nice-to-have... it delivers real, measurable benefits across your entire organization.

• It significantly reduces your potential security risks. A solid security culture isn’t just awareness; it’s accountability. Employees spot potential threats early and mitigate risks before they escalate into security breaches.
• A strong cybersecurity culture ensures compliance. Regulations and data protection laws aren't just checkboxes - they require a genuine commitment to security across all levels of the company. Employees who understand their role in security practices naturally maintain compliance, reducing the risk of costly violations.
• Having a proactive and security-conscious environment means you stay ahead of evolving cyber threats. Phishing emails and other cyber threats evolve constantly. A strong security culture means your people actually evolve alongside the shifting landscape.. Regular training sessions and interactive training exercises keep your security team and the entire organization ready for emerging threats.
• When incidents inevitably occur, a robust security culture builds resilience. You can't guarantee you'll always be safe, but you can prepare to handle cyber incidents effectively, minimizing their impact and maintaining normal business operations.

‍

The four pillars of a measurable security culture

To build a truly impactful culture of security, there are four types of metrics every program should include:

1. Awareness (Knowledge): Do employees know what to do? Quiz responses and module completion rates are useful here - but not the end goal.
2. Behavior: Are employees doing the right things? Metrics like phishing simulation reporting and password hygiene tell this story.
3. Attitudes: Do people believe security is a shared responsibility? Surveys and cultural signals (like peer accountability) reveal this.
4. Engagement: Are people participating willingly? Event attendance, feedback, and leaderboard participation are good indicators.

You need to go beyond engagement and knowledge.

Can you measure behavior and attitudes? That’s where the transformation happens.

‍

How to create a security culture in your organization

Step 1: Leadership sets the tone

Leadership team commitment is non-negotiable.

Security should never be perceived as punitive.

Psychological safety is a core component of security culture. When employees fear repercussions, reporting decreases and hidden issues increase.

Leaders must model secure behaviors, prioritize transparency, and foster this psychological safety.

Security isn't just an IT issue; it's everyone's responsibility.

Security shouldn’t just be a topic in the IT team’s weekly sync.

It should be part of the language used by the CEO, board, and business unit leaders.

At Hoxhunt, we tend to see that organizations with strong leadership buy-in experience quicker adoption and higher retention of security practices.

Having dedicated advocates within teams who can relay feedback, concerns, and best practices can dramatically improve overall security posture and culture.

Step 2: Make security human and approachable

Focus on shifting attitudes first.

Back when I was Head of Security Culture & Competence at H&M, I took a bold risk with our first security campaign...

I replaced traditional corporate imagery with vibrant, colorful backgrounds, playful visuals of animals in unicorn costumes, and positive taglines.

The unicorn pug became our mascot, and employees loved it.

Security became approachable, even enjoyable and people started to think, "Security is trying something different. They seem approachable now!"

This change in perception was a game-changer.

By humanizing security, we transformed perceptions, improved collaboration, and saw a significant increase in proactive security behaviors.

Use real-life incidents, anonymized if necessary, as powerful teaching moments in regular training sessions.

Employees connect deeply with relatable stories rather than abstract concepts.

You must be bold and unconventional in security awareness!

Step 3: Measure real behavior change

To truly build a security culture, measure behaviors and attitudes - not just compliance.

We've seen reporting rates for phishing simulations improve by 7x through targeted training and positive reinforcement.

Metrics like phishing simulation reporting, password hygiene, and security survey results tell the real story.

We don't just train to train - we train to reduce risk.

Regularly reviewing these metrics and communicating successes helps reinforce and embed these behaviors further.

People who were trained with Hoxhunt were 6x less likely to click and 7x more likely to report.

Step 4: Make participation easy

Even the best tools won’t help reduce security breaches if they're not intuitive and easy to use.

Motivation matters. But so does accessibility.

Friction kills engagement.

One-click reporting buttons and micro-learning modules integrated into daily workflows drastically improve participation and effectiveness.

And the same goes for simulation difficulty.

You might not want to teach everyone about the most advanced attacks right away.

You need to start with the basics and build from there.

It's also essential to ensure continuous feedback loops from users to adapt and improve these tools regularly.

Step 5: Brand your security culture

Make your program memorable and enjoyable.

It's about making security something people want to be associated with.

Branding your security culture is about making security positive, engaging, and relevant.

Positive means making things a little bit fun, a little bit different, to stand out from the crowd.

Break the mold and surprise your employees to capture their attention.

Make your communications genuine and meaningful.

People can spot empty corporate speak a mile away. Meet people where they are and make your message resonate personally.

A strong and approachable brand around your security program not only boosts employee engagement but also creates internal advocates who willingly champion security practices.

Step 6: Listen to employees

To effectively enhance security culture, start by listening.

Put yourself in the employee shoes and try to understand their challenges.

Employees aren't ignoring security initiatives intentionally; they often have valid reasons or obstacles.

Engage with empathy, conduct focus groups, and create safe spaces where they can express concerns without fear.

Listening instead of talking first can make a profound difference in driving culture change.

Create opportunities for employees to give feedback on security initiatives regularly.

Listening actively to employees helps identify potential vulnerabilities that might otherwise go unnoticed.

Step 7: Provide constructive feedback

Positive reinforcement and constructive feedback are crucial.

Rewarding good security behaviors with praise and recognition can significantly boost engagement.

At Hoxhunt, employees receive instant feedback every time they report a suspicious email.

Instant feedback reinforces positive behaviors, making employees more likely to repeat them.

For real threats, employees are promptly thanked, reinforcing the critical role they play in organizational security.

Simple praise and acknowledgment help build a positive security experience and motivate employees to keep participating proactively.

Immediate feedback creates a positive reinforcement loop, motivating employees to repeat secure behaviors and continuously improve their security habits.

‍

Need to make the business case? Here's the impact of building a strong cyber security culture

• According to the 2021 Cybersecurity Culture Study, organizations with a strong cybersecurity culture are x5.5 more likely to have well-defined security policies and procedures in place.
• Research from the Aberdeen Group reveals that companies with a strong security culture experience 50% higher employee awareness of security risks compared to those with a weak culture.
• A study by the Institute of Information Security Professionals (IISP) found that organizations with a strong cybersecurity culture are 70% more likely to meet compliance requirements for data protection regulations.
• Data from the Cybersecurity Culture Assessment Survey conducted by SecurityScorecard shows that companies with a strong cybersecurity culture are 3 times more likely to have executive support for cybersecurity initiatives.
• Our own Phishing Trends Report found that when training is based on changing behavior, you can build a strong security culture that actually reduces risk. Employees can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing incidents per organization by 86%.

‍

‍

‍

Moving from behavior change to culture change

Security culture isn't built by security teams alone - it's shaped by how employees perceive those teams.

Historically, security was seen as "the department of 'No,'" creating barriers rather than partnerships.

At Hoxhunt, we've deliberately flipped that narrative through an adaptive and security-first company culture.

One effective strategy is fostering a culture of positive reinforcement rather than punishment.

For instance, at Hoxhunt, when someone leaves their laptop unlocked, colleagues can playfully leave a message to the team stating "hacked," not as punishment, but as a friendly, educational reminder.

These small, positive interactions - rather than strict security protocols that feel punitive - help integrate security seamlessly into daily routines.

Micro-moments create broader cultural buy-in and remove any fear of reprisal, encouraging a proactive and security-conscious environment.

People need to see security as approachable and helpful, not punitive.

This cultural shift significantly enhances the interaction between employees and the SOC, transforming potential security incidents into proactive reporting.

We've traditionally pushed security concerns onto employees based on what security leaders prioritize.

But it's far more effective if we understand what employees genuinely care about and align our communication accordingly.

Building a robust security culture requires a collective mindset, where everyone, regardless of their role, feels personally invested.

"The best thing is when individuals have a personal investment in maintaining the actual security culture - even if it’s not their job title." - Dominick Frazier (Security Behavior & Thought Leader)

Encouraging this personal investment is key to cultivating a genuinely resilient and adaptive security-first mindset across the entire organization.

‍

Staying ahead of emerging threats

In a dynamic threat landscape, static training isn't enough.

That's why we push new simulations every two weeks based on emerging patterns from its vast user network.

At Hoxhunt, we update simulations every two weeks based on real-world attacks.

It's not just about the risks; it's about what can we do about it.

When QR phishing spiked, we launched a 500,000-user simulation campaign that mirrored real-world cyber attacks.

Another emerging threat: deepfakes attacks.

These threats aren’t theoretical - they’re being used today.

So Hoxhunt incorporates current intelligence directly into training.

If you’re not adapting your content based on actual security threats, you’re preparing for yesterday’s problems.

Right now AI is raising the bar - and the stakes - for cybersecurity education.

AI reached its Skynet Moment for social engineering in March, 2025.  

AI agents developed by the team here at Hoxhunt created more effective simulated phishing campaigns against millions of global users than our elite human red teams could.

• In 2023, AI was 31% less effective than humans
• In Nov. 2024, AI was 10% less effective than humans
• But in March 2025, AI was 24% more effective than humans

‍

When it comes to defending against these attacks, old-school advice doesn't really work.

We need to move on from tactics like checking grammar.

We should help people recognize how messages make them feel.

If it’s urgent, emotional, unexpected - and asking for action - then verify.

AI may be used to enhance cyber attacks... but it can also be used to prevent them.

How do you meet people where they’re at - at scale?

AI allows us to personalize training and communication across thousands of employees with the right context.

‍

Key takeaways

• Ensure senior leadership commitment and buy-in as a strategic priority.
• Make sure you have ongoing, interactive training programs and phishing simulations tailored to the evolving security landscape.
• Build a robust security culture through regular, constructive feedback and recognition of positive security actions, avoiding punitive approaches.
• Use adaptive and engaging security platforms to ensure employee education actually sticks and translates into behavior change.
• Continuously monitor and audit your organization's security culture through metrics that measure actual behaviors, attitudes, and security-conscious actions.
• Promote a proactive, security-first mindset and collective responsibility throughout the entire organization, ensuring every employee feels personally invested in maintaining a secure environment.

Building a robust security culture isn't quick or easy - but it's achievable.

Don't force people; inspire them. Don’t punish; reward. Don’t frustrate; simplify.

Combine behavioral science with empathy and creativity, and you'll create not just compliance, but cybersecurity champions.

Ultimately, we want employees to feel they’re part of the solution - because they genuinely are.

‍

Reduce risky behaviors and build a real security culture with Hoxhunt

Traditional awareness training doesn't really work.

It's boring, it doesn't stick, and most of the time, people just click through it.

At Hoxhunt, we realized that if we genuinely want people to change their behaviors, we needed to rethink the entire approach.

So, we built Hoxhunt's security awareness training specifically to coach away risky behaviors through personalized, engaging experiences.

No generic slideshows or passive modules - every employee gets their own tailored learning path, complete with realistic phishing simulations and interactive micro-learning.

And the best part? People actually enjoy it.

Many organizations with legacy SAT models struggle to get engagement above 10%, and they have limited visibility into whether their teams can truly spot and report potential threats.

With Hoxhunt, companies don't just see a slight uptick - they see a transformation.

Engagement rates skyrocket to over 90%, failure rates plummet, and threat detection rates climb steadily, creating sustainable resilience across the entire organization.

Overall organizations training employees using Hoxhunt tend to see:

• 20x lower failure rates
• 90%+ engagement rates
• 75%+ detect rates

How do we achieve these outcomes?

Personalized simulations at scale

We deliver phishing simulations across email, Slack, or Teams using AI to mimic the latest, real-world attacks.

Simulations are personalized to each employee based on department, location, and more, while instant micro-trainings solidify understanding and drive lasting safe behaviors.

Ensure compliance and maximize engagement with gamified training

Trigger interactive, bite-sized security awareness trainings that boost completion rates and coach away risky behaviors.

Select from a library of customizable training packages, or generate your own with AI to meet the needs of your business.

Build a measurable security culture

Motivate employee participation with positive, reward-based incentives and instantly trigger relevant training when an employee takes a risky action, like sharing sensitive company data or using a USB stick.

Get real-time behavioral data reveals insights into risky employee behaviors to help you identify where to focus your training efforts whilst minimizing employee disruption.

‍

Creating a company culture for security FAQ

How do you start changing a negative perception of security within an organization?

First you need to understand why people feel that way.

Employees usually have valid reasons for acting they way they do.

Create focus groups or informal chats with genuine empathy and humility to uncover these reasons.

Should security training be incremental or rolled out as a major, company-wide relaunch?

There is no right answer here, a big launch will creating noticeable excitement and clearly signalling change.

However, gradual implementations can also work, depending on your organizational context.

What role does leadership play in driving culture change?

Leadership is extremely important.

The actions and words of senior leaders significantly shape the culture of the company.

Their support accelerates the adoption of secure practices across the entire organization.

How do you handle employees who resist or ignore security protocols?

Always start by listening. Put yourself in their shoes to truly understand their perspective.

Often there are underlying issues - address these directly and constructively.

Avoid punishment; use positive reinforcement instead.

What are the first signs of a successful shift in cybersecurity culture?

You’ll quickly see increased reporting rates of suspicious emails and reduced click rates on phishing simulations.

But the most telling sign is when employees start actively discussing security positively and proudly within your organization.

‍

_Sources

^{Seven Reasons Why Your Company's Security Training Isn't Working – Forbes Tech Council
‍Research from Aberdeen Group and Wombat Security – Yahoo Finance
‍ISC² 2021 Cybersecurity Workforce Study – IAPP
‍Gartner Unveils Top Eight Cybersecurity Predictions for 2024 – Gartner
‍State of Cybersecurity 2021 Infographic – ISACA
‍The Role of Human Error in Successful Cybersecurity Breaches – Keepnet Labs}