publishing date icon
July 20, 2023
read time icon
5 min. read

Hoxhunt Human Risk Report on Critical Infrastructure: Key takeaways

This report on human cyber-risk in the critical infrastructure sector reveals several findings that support one core truth: security behavior change & human risk management works. The report analyzes the results of over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in a security behavior change program. Over 65% of active participants in this behavior change program detect and report real malicious email attacks within a year of commencing training. The fact that 2/3 of people are detecting a real attack is one of the most impactful measures of true security behavior change that we know to have been recorded. Real threat detection is a key value driver in transforming security awareness programs into human risk management. These findings show that human cyber-risk can be mitigated particularly well in the critical infrastructure sector.

Author image
Eliot Baker
Director of Content Marketing
Post hero image

Table of contents

share this post

Critical infrastructure faces outsized consequences of phishing attacks and data breaches. Fortunately, employees in the critical infrastructure sector who participate in a robust behavior change program are pretty darn good at securing their company. They are comparatively more engaged than most other industries in good cybersecurity training and behavior, as indicated by their strong phishing simulation reporting and miss rates.  

People are also an excellent security alarm and containment system, particularly in critical infrastructure. The Hoxhunt Human Risk Report revealed that 66 percent of active participants in security behavior training programs at critical infrastructure organizations detect and report at least one real malicious email attack within a year of commencing training. Resilience velocity, the speed at which an organization reaches its highest level of actual threat detection behavior, is also 20 percent higher in the critical infrastructure sector, with organizational threat detection rates reaching high points at 10 months, compared to the 12-month average in most other industries.  


Phishing simulation success rates, the act of reporting a simulation and not skipping or failing it, in critical infrastructure is 61 percent higher than the global average after 12 months. In addition, resilience ratios, success rate versus failure rate, is 51 percent higher in critical infrastructure - 10.9 for critical infrastructure compared to the 7.2 global industry average.  

The report also reveals that critical infrastructure employees are most likely to fall victim to spoofed internal organizational communications. While this is the most effective type of phishing attack across most sectors, Hoxhunt’s study found that these types of attacks induce an 11.4 percent higher failure rate in the critical infrastructure sector compared to global averages.

"Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty," said Mika Aalto, CEO and co-founder of Hoxhunt.  “In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity. This higher state of caution has spurred many security and risk leaders to move away from traditional security awareness programs and choose new innovations like Security Behavior Change products to achieve true risk reduction.”

The research also highlights that communication, marketing, and business development departments are most likely to be victims of phishing attacks. The most resilient departments are finance, sales, and legal. These results track with global averages except for the high performance of sales, whose success in critical infrastructure is greater than the global average.  

The road to human cyber-risk reduction begins with awareness and compliance, winds through measurable security behavior change, and culminates in real threat detection at scale.


The energy sector is one of the top targets for social engineering and phishing attacks across all industries. Energy & utility data weigh heavily within this report’s representative critical infrastructure sectors.

Information security leaders operating within the critical infrastructure space are particularly keen to map and mitigate their human risk due to a confluence of factors:

  • Elevated target share from both profit-and-politically-motivated bad actors.
  • Evolving threat landscape. AI and other advanced technologies are being adopted by increasingly sophisticated cybercrime-as-a-service models, state-sponsored actors, and criminal organizations
  • Ongoing digitization and rise of IoT opens new vulnerabilities.
  • New era of supply chain attacks.
  • Shrinking security budgets and mounting attacks demand innovative strategic approaches.
  • Tightening compliance standards for cybersecurity insurance and business partnerships.
  • Increasing regulatory pressure: Higher standards and increasing accountability.
  • CEO and Board-level recognition of the CISO and cybersecurity as a business imperative.

People represent the largest cyberattack surface. In a time where they’re being asked to reduce more risk with fewer resources, CISOs are seeking new ways to reduce risk at its greatest source.

People are your greatest security resource

While there's a fair amount of information on the costs and challenges associated with phishing attacks and human risk, there are comparatively fewer studies on solutions and human risk reduction. This Gartner report supports the growing trend towards security behavior change programs over security awareness training (SAT) tools. The Hoxhunt Human Risk Report advances our understanding of human risk mitigation via security behavior change programs.

A risk-based approach to security begins with visibility into your largest attack surface: your people. It ends with providing them the skills to defend themselves, the tools to join forces with the security team, and the motivation to secure the organization. People reinforce the processes and technology in an information security system.

Security behavior change works— when it’s done right. Training that's designed to measure and improve the desired behavior—namely, recognizing and reporting an email threat—changes that behavior. And, as a result, demonstrably reduces the risk of a phishing breach.

Awareness and compliance signify only the beginning of a human risk management journey. Behavior change and measurable risk reduction represent that journey’s end.

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.