Episode #5

“We have 100% completion… but nothing’s changed.”

It’s a complaint security leaders are making louder and more often. Completion rates are being called “cosmetic,” “misleading,” and “just optics” - metrics that check the compliance box but fail to reduce real human risk.

In this episode, host Eliot Baker sits down with Maxime Cartier, Head of Human Risk at Hoxhunt, to unpack what organizations are getting wrong about measurement and what the most mature programs are doing instead.

Drawing from Maxime’s recent insights at the SANS Security Awareness Summit, this conversation cuts through outdated KPIs and explores what actually signals behavioral change. You’ll hear what practitioners are building in the real world, how to bring leadership along without losing them in complexity, and how to measure success beyond tick-box numbers.

This isn’t theoretical - it’s tactical guidance from a field that’s evolving fast.

What you’ll learn in this episode:

• Why 100% training completion doesn’t mean behavior has changed

• How to spot “vanity metrics” and what to replace them with

• Why security programs are borrowing measurement models from public health and road safety

• What early signals suggest real change (even before risk metrics improve)

• How to make behavioral metrics land with your board, not just your CISO

Timestamps:

Resources:

• Our guide to the essential metrics you should be measuring: https://hoxhunt.com/blog/4-essential-phishing-metrics
• Hoxhunt's HRM playbook: https://hoxhunt.com/guide/human-risk-management-playbook
• Bird & Bird case study: https://hoxhunt.com/case-studies/bird-bird-cybersecurity-rules-in-favor-of-the-hoxhunt-human-risk-management-platform

Host links:

Eliot Baker:⁠⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠⁠

Maxime Cartier:⁠ ⁠https://www.linkedin.com/in/maximecartier

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠Hoxhunt⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte. 

Episode #4

AI might be transforming cybersecurity… but not always in the way vendors want you to believe.

In this episode, Eliot Baker sits down with Hoxhunt CTO and Co-founder Pyry Åvist to expose what’s actually happening at the front lines of the AI-powered phishing threat. No speculation. Just real research, real data, and real implications for your defense strategy.

Together, they unpack how Hoxhunt’s research team built and tested agentic AI spear phishing agents and what happened when those AI-generated attacks went head-to-head with elite human red teamers. The result? A 24% higher failure rate for AI phishing emails, across 50,000+ real-world simulations. This is more than just a stat. It’s a signal: AI threats are getting smarter, faster than most training programs can adapt.

This episode is both a behind-the-scenes look at the largest AI phishing benchmark ever run and a tactical guide for what to do next.

Here’s what you’ll learn in this episode:

• How AI spear phishing attacks crossed a key threshold in spring 2025 and why that changes everything
• Why traditional training templates and static simulations are now a liability
• What “agentic” AI really means and how it’s enabling scalable, personalized phishing at unprecedented speed
• The common weaknesses attackers exploit (and how to pressure-test your own workforce against them)
• How training programs can use AI to fight back, with individualized simulation paths that actually evolve with the threat

Timestamps:

(00:38) Hoxhunt's AI-Powered Approach

(01:13) The Evolution of AI in Phishing

(02:21) AI's Dual Purpose: Good vs. Evil

(04:08) The Rising Cost of Phishing

(05:50) Human vs. AI in Phishing Attacks

(08:45) The Skynet Moment: AI Surpasses Humans

(16:15) The Future of AI in Phishing

(17:55) Conclusion and Final Thoughts

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠⁠

Resources:

• Our research on AI phishing vs human red teams: https://hoxhunt.com/blog/ai-powered-phishing-vs-humans
• A breakdown of the current threat posed by AI attacks: https://hoxhunt.com/blog/ai-phishing-attacks

Host links:

Eliot Baker:⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠

Pyry Åvist:⁠ https://www.linkedin.com/in/pyryavist/

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠Hoxhunt⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte. 

Episode #3

Should We Punish Employees for Security Mistakes?

Eliot is joined by Noora Ahmed-Moshe VP of Strategy & Operations, Hoxhunt) for a discussion on one of cybersecurity’s most divisive questions: should repeat offenders in training programs be punished... or is there a better way?

Leveraging on behavioral science, real-world case studies, and Noora’s global experience advising security leaders, this episode breaks down the flawed logic behind punitive training and surfaces more effective, scalable alternatives.

Here’s what you’ll learn in this episode:

• Why punishment-based training strategies often backfire and how they can destroy psychological safety

• How to understand the psychology of repeat clickers and uncover hidden motivations

• What neuroscience and behavioral science say about fear vs. positive reinforcement in learning

• How real organizations shifted from punitive to positive - and saw massive gains in threat reporting and engagement

• Why individualized, adaptive training paths outperform one-size-fits-all models

• What to do when even your best-designed training isn’t working for a small subset of users

• The unintended consequences of using HR as a disciplinary tool in security awareness programs

• How to counter the “optics of leniency” argument with data and outcomes

This isn’t about being soft. It’s about being strategic. If your goal is measurable, sustainable behavior change - this episode is essential listening.

Timestamps:

• (00:00) Introduction to the Podcast
• (00:30) Setting the Scene: The Dilemma of Punishing Employees
• (01:20) Understanding Behavior Change
• (03:08) The Pitfalls of Punitive Approaches
• (05:08) Real-World Consequences of Fear-Based Strategies
• (07:26) Exploring Positive Reinforcement
• (11:22) Addressing Repeat Offenders
• (37:05) The Role of HR in Security Training
• (40:42) The Importance of Psychological Safety
• (48:05) Final Thoughts and Summary

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠

Resources:

• A short guide to effective security behavior change: https://hoxhunt.com/blog/cybersecurity-behavior-change

  Qualcomm Case Study: https://hoxhunt.com/case-studies/how-qualcomm-used-targeted-security-awareness-training-for-employees

• Guide to positive vs punitive approaches: https://hoxhunt.com/blog/punitive-vs-positive-cybersecurity-awareness-training

Host links:

Eliot Baker:⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠

Noora Ahmed-Moshe:⁠ https://fi.linkedin.com/in/noora-ahmed-moshe

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠Hoxhunt⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte. 

Episode #2

RSA 2025 was full of AI claims - but what were security leaders really worried about?

Eliot is joined by ⁠Noora Ahmed-Moshe⁠ (VP of Strategy, Hoxhunt) for a no-spin debrief on RSA 2025. With AI hype at full volume and booth gimmicks ranging from goats to deepfake demos, it’s easy to miss the real signals in the noise. Eliot and Noora cut through the chaos to unpack what security leaders were actually focused on - and what it means for your strategy.

Drawing from hundreds of in-person conversations across the conference floor, they surface the real fears, needs, and shifts happening in the security community. This isn't a recap of vendor taglines - it's a pulse check on how defenders are thinking, what they're struggling with, and where the field is heading next.

Here’s what you’ll learn in this episode:

• How agentic AI is shifting from abstract risk to tactical threat - fast

• Why vishing and deepfake audio are already operational threats, not future hypotheticals

• What CISOs are really saying about the limitations of checkbox security awareness

• How governments are quietly moving beyond compliance toward measurable risk reduction

• Why “AI-powered” marketing claims are falling flat—and how real buyers are filtering signal from fluff
  

Timestamps:

• (00:24) Overview of RSA 2025

• (00:51) Hoxhunt Cyber News Roundup

• (02:02) Verizon DBIR 2025 Insights

• (03:12) Generative AI Risks and Third-Party Vulnerabilities

• (03:52) NIST 2 Directive in the EU

• (04:57) Experiences at RSA 2025

• (05:48) The Human Element at RSA

• (06:50) AI Dominates RSA Conversations

• (09:04) Challenges and Themes in Cybersecurity

• (12:44) Agentic AI and Its Implications

• (15:13) Deepfakes and Vishing Concerns

• (16:38) Omnichannel Phishing Threats

• (17:21) Positive Conversations at RSA

• (18:46) Surprising Trends and Insights

• (27:04) Conclusion and Final Thoughts

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠

Resources:

• Our research on AI phishing vs human red teams: https://hoxhunt.com/blog/ai-powered-phishing-vs-humans

• Guide to deepfake phishing: https://hoxhunt.com/blog/deepfake-attacks

Host links:

Eliot Baker: ⁠https://www.linkedin.com/in/eliotebaker/⁠

Noora Ahmed-Moshe: ⁠https://linkedin.com/in/noora-ahmed-moshe

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

Hoxhunt⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte. 

Episode #1

Are your security awareness metrics actually measuring risk reduction? Or just checking boxes?

Eliot is joined by Maxime Cartier (Head of Human Risk, Hoxhunt) to break down what truly works it when it comes to reducing human cyber risk. Maxime has spent close to 10 years helping organizations elevate security awareness into human-centered risk management and led security culture initiatives for a major global retailer. In this episode, he shares the metrics that actually matter when evaluating your human defense layer and practical frameworks for quantifying risk reduction across your organization.

Here's what you'll learn in this episode:

• Why traditional metrics fail to capture real risk reduction
• The measurement framework that finally proves ROI to leadership
• Behavioral science secrets that transform knowledge into habits
• How top-performing organizations quantify their human defense layer

Timestamps:

• (00:00) Introduction to the Podcast
• (01:08) Understanding Security Awareness
• (02:54)The Evolution of Security Awareness
• (04:51) Compliance and Security Awareness
• (06:49) From Awareness to Behavior Change
• (08:40) Measuring Security Behaviors
• (11:14) Real-World Examples and Anecdotes
• (21:44) The Importance of Reporting Rates
• (24:15) Positive Security Culture
• (38:30) Adapting to New Threats
• (45:13) Conclusion and Final Thoughts

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠ https://hoxhunt.com/all-things-human-risk⁠

Resources:

• Guide to behavior-based training: https://hoxhunt.com/blog/behavior-based-cyber-security-training
• 4 essential metrics to start tracking: https://hoxhunt.com/blog/4-essential-phishing-metrics

Host links:

Eliot Baker: https://www.linkedin.com/in/eliotebaker/

Maxime Cartier: https://www.linkedin.com/in/maximecartier/

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

Hoxhunt is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.