Episode #9

“Security awareness training doesn’t work” makes for a punchy headline. But is the problem training itself - or the way most organizations still run compliance-driven, once-a-year programs?

In this episode, host Eliot Baker sits down with global security awareness leader David Badanes to dissect the latest “training fails” narratives (especially the UC San Diego study amplified by the Wall Street Journal) and contrast them with what actually works in high-performing human risk programs.

They break down the three failure modes of legacy awareness (content, cadence, culture), show how to rebuild around behaviour change and reporting, and give you language to push back when executives show up with the latest “training doesn’t work” article in hand.

What you’ll learn in this episode:

• The three failure modes of legacy awareness programs: broken content, broken cadence, and broken culture.
• Why annual modules and quarterly cookie-cutter phishing tests create “security tourism,” not real habit change.
• How to rebuild around role-based, adaptive, micro-learning paths that challenge people at the right level.
• Where gamification, rewards, and opt-in “spicy mode” simulations help and where they can blow up trust.
• Why click/failure rate is a weak north star, and how to use resilience ratio, time-to-report, and real-phish-to-sim-phish pipelines instead.
• How to embed “stop work authority” into digital life so employees can safely slow down urgent requests across email, Teams, Slack, WhatsApp, and SMS.
• What the UC San Diego / WSJ study got right about bad training, where the methodology falls short, and how to brief your leadership on it.
• The qualitative signals that a culture-first awareness program is working (water-cooler conversations, proactive reporting, and cross-functional pull from finance, M&A, and beyond).

Timestamps:

(00:00) Why “training doesn’t work” headlines keep coming back

(02:00) Content, cadence, and culture: three failure modes of awareness

(04:30) From “security tourism” to continuous skill building

(06:30) Rebuilding the model: people, process, then technology

(09:00) Role-based and adaptive paths (and where AI actually helps)

(11:00) Gamification, leaderboards, and avoiding public shaming

(14:00) Opt-in “spicy mode,” emotional reactions, and handling backlash

(19:00) Phishing beyond email: Teams, Slack, WhatsApp, SMS and more

(21:00) Stop work authority: slowing down urgent requests without blame

(22:00) Why failure rate is not your north star metric

(24:00) Resilience ratio, time-to-report, and protecting your colleagues

(26:00) Tying recognition and performance reviews to cyber-safety behaviour

(28:00) Handling repeat clickers without creating fear and avoidance

(33:00) The UC San Diego / WSJ study: what it got right and wrong

(36:00) What “good” looks like when training actually works

Resources:

• Wall Street Journal coverage of the UC San Diego cybersecurity training study: https://www.wsj.com/tech/cybersecurity/cybersecurity-training-study-f290518d
• Our take on the WSJ article: https://hoxhunt.com/blog/the-wall-street-journal-got-it-wrong-phishing-simulations-work-when-done-right

Host links:

• Eliot Baker: https://fi.linkedin.com/in/eliotebaker
• David Badanes: https://www.linkedin.com/in/dbadanes

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.