Gartner names Hoxhunt a Security Behavior and Culture Program Representative Provider

Take your human risk management journey beyond awareness to measurable behavior change with a Gartner-recognized Representative Provider of SBCP. Download a complimentary copy of the full report from Gartner: Innovation Insight on Security Behavior and Culture Program Capabilities, by William Candrick, Richard Addiscott, Andrew Walls, and Alex Michaels.

Post hero image

Table of contents

In being named by Gartner as a Representative Provider of Security Behavior and Culture Programs (SBCP), Hoxhunt is proud to be at the vanguard of a global shift in the approach to human risk management. Awareness and compliance are necessary starting points, but they signify the beginning of a risk management journey, not the end. The rise of cybercrime to an $8 trillion global criminal industry, in which as many as 95% of data breaches contain the human element, has elevated cybersecurity to the digital world’s chief existential threat; one in which people are both the cause of and the solution to the issue.

In such a climate, computer-based security awareness training doesn’t suffice. Enter SBCP.

Most cybersecurity leaders report lofty aspirations for their security awareness programs, yet underinvest in this space because legacy solutions do not meet current CISO needs. Under half of cybersecurity functions consistently measure employee behavior, and almost 80% have less than one FTE dedicated to security awareness (Figure 1). Cybersecurity leaders are hesitant to invest more resources and effort until solutions reliably deliver better risk management results. -- Innovation Insight on Security Behavior and Culture Program Capabilities, Gartner, Nov. 16, 2022


Driven by need and enabled with cutting-edge innovation, security leaders are going beyond compliance and awareness to secure measurable behavior change and unlock a risk-based approach to security. That starts with re-thinking people as a human threat detection asset. Employees are regarded as the enterprise’s weakest link in the people-processes-technology chain, and thus the greatest risk to security.

But a modern security behavior change platform can transform employees into an untapped security resource. Experts predict the transition from awareness training to SBCPs will be dramatic over the coming years.

As the Gartner report states:

By 2030, 80% of enterprises will have a formally defined and staffed human risk management program, up from 20% in 2022.
By 2030, all widely adopted cybersecurity control frameworks will focus on measurable behavior change rather than compliance-based training as the critical measure of efficacy for human risk management.” – Innovation Insight on Security Behavior and Culture Program Capabilities, Gartner, Nov. 16, 2022



This changing of the guard from old-school awareness training to security behavior change platforms is at an inflection point in 2023. With cyber insurance and other pillars of risk management wobbled by a swiftly evolving threat landscape, CISOs are being tasked by the C-suite to look afresh at risk at its greatest source: people.

Employees are targeted by attackers. Why aren’t solutions doing the same thing? 

Security awareness computer-based training services offer a stable set of core capabilities yet risky employee behavior persists. New, emerging capabilities apply behavioral science principles, data analytics and automation to help cybersecurity leaders reduce risk via measurable culture change. -- Innovation Insight on Security Behavior and Culture Program Capabilities, Gartner, Nov. 16, 2022



Times have changed. Attack tactics have evolved. Cyber behavior must, too. Enterprises operate in an age where ransomware and other human-targeted attacks are evading the technical layers and penetrating the human layer with increasing volume, velocity, and potency. Stats from the Verizon DBIR and World Economic Forum report that 83% to 95% of data breaches begin with or involve the human element. And the most recent research from IBM and the Ponemon institute reports that these data breaches drain on average $9.5 million in direct and indirect costs, with ransomware attacks averaging out at $4.45 million. Phishing attacks, according to 2021 research by the Ponemon Institute, cost large organizations around $15 million annually, or more than $1500 per employee.

Infographic showing statistics of data breaches in the workplace

To fight the rise in human-targeted attacks, especially phishing, security leaders are transforming employees from security weaknesses into security assets and integrating human threat detection into security operations. The end result is an auto-enhancing protect-detect-respond engine, co-piloted by security leaders and employees.


New capabilities are emerging to meet the demand for improved human risk management. These security behavior and culture programs (SBCP) capabilities focus on risk reduction via tangible employee behavior management. Innovative solutions build their services based on behavioral science principles, and use data analytics and automation to reduce risk exposure via measurable culture change. -- Innovation Insight on Security Behavior and Culture Program Capabilities, Gartner, Nov. 16, 2022



Gartner, Innovation Insight on Security Behavior and Culture Program Capabilities, William Candrick, Richard Addiscott, Andrew Walls, Alex Michaels, 16 November 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this