A human cyber-risk report with hope, for a change

Long-time CISO, Petri Kuivala asked for one thing after he analyzed 1.6 million users’ interactions with 15 million phishing simulations and millions more real phishing attacks: hope. Lose the FUD and fluff. Focus on the trends and insights into human cyber-behavior by geography, industry, job role, and phishing type that will actually improve human risk management. So that’s what we did with the Phishing and Cybersecurity Behavior Trends report, which you can download for free.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

 Key takeaways 

  • QR phishing attacks surged by 22X in 2023 
  • The Financial Services industry performs twice as well as Retail at spotting and reporting a phishing attack 
  • Manufacturing and construction is the most targeted industry by phishing 
  • Legal and Financial are the top-performing departments, and Communications is the most challenged 
  • Dwell time and threat detection can be tracked in both the training and with real attacks.  
  • Dwell time improves by over 32% after 1 year of cybersecurity training, and the top 5% fastest employees report real attacks in less than 2 minutes 
  • Threat detection improves by over 9X after 1 year of cybersecurity training 

A hopeful spin on phishing and cyber behavior Stats

I often get frustrated with reports from cybersecurity vendors. Some are excellent, but some are just marketing hype and Fear Uncertainty Doubt (FUD) stuffed into an infographic and dressed up as a fluffy pseudo-scientific study. The Phishing and Cybersecurity Behavior Trends report is different. 

We don’t need more FUD and fluff. We need data-driven fuel for our efforts to secure our people against cyber-attacks. Tell me about meaningful, behavioral outcomes like dwell time and threat detection based on geography, industry, job role, and phishing type. Cut back on the empty failure rate metric obsession. 

Give me some hope. I know for a fact that there are measurable reasons for optimism. Some of those reasons are contained in this report. Let’s focus on what’s actionable and useful, because we’re tired of marketers trying to social engineer us into requesting a demo. Give us value. Show us data that helps us understand human behavior and mitigate risk.  

I requested that the facts and insights presented in the Phishing and Cybersecurity Behavior Trends report emphasize what is ultimately a happy ending: people can change. We just need the right program with the right metrics to measure and manage their progress. How often have you read a cybersecurity report that has a happy ending? Probably as (not) often as you’ve seen a reward-based SAT program. 

I’ve been working as a CISO for a long time, so I get it: the threat landscape is bad, the solutions aren’t keeping pace, and neither are our budgets. Let’s cover hopeful new ground, because Gartner (Top Cybersecurity Trends of 2024 Report) and Forrester (The Future is Now: Introducing Human Risk Management) are: they’re actually moving beyond the tired SAT category and creating new categories for managing human risk and behavior change. Why? Because there’s hard data that new approaches work. 

  

Dwell time and threat reporting improves in simulated and real phishing environments

Positivity in cybersecurity training 

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]I took the radical approach of adopting positive psychology in my security awareness program around 10 years ago at Nokia. And guess what? We achieved security behavior change at levels that had been impossible with the traditional consequence-based SAT approach.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Petri Kuivala, CISO Advisor[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box] 

The research is clear. Positive reinforcement is more effective at driving and reinforcing behavior change than any other method. In "The Influential Mind," Adam Grant provides compelling evidence of the reward-based approach. A New York Hospital Intensive Care Unit significantly improved hand hygiene compliance by displaying positive feedback at hand washing stations. This technique outperformed:  

  1. Traditional reminders with paternalistic “Wash your hands!” signage  
  2. Creepy Big Brother Is Watching You 24/7 CCTV monitoring with an outsourced surveillance team  

But when they installed a display on top of the hand washing station that gave positive feedback for people who properly washed their hands, the compliance rate increased 9X. Yes, you read that right: 9X! Fun fact: in this report, people globally improve their threat reporting rates by 9X with the reward-based Hoxhunt program. 

What holds true in both hand-washing and cybersecurity? Both stop the spread of disease. 

  

Global cyber performance improvement of 9X for threat reporting
This is the portrait of hope. Behavior change skyrockets immediately upon onboarding with the adoption of the Hoxhunt training program. Reporting rates jump 6X the first month, and rise by 9X from baseline over the first year. Meanwhile, real threat detection soars from neglibile to a 10X improvement over the first year.

What the data tells us 

This Phishing and Cybersecurity Behavior Stats and Trends report shows how different backgrounds produce different behaviors, and it demonstrates the impact of positive reinforcement on those behaviors. The comprehensive analysis of 1.6 million users responding to 15 million phishing simulations reveals that positive reinforcement can drastically improve things that I’ve never seen tracked before, like dwell time and real threat detection. 

I want to say that there really are no “bad” performers here. There is variance between geographies and industries but our findings show that across the board the phishing reporting rate exceeds 25%, the threshold that author and CISO, George Finney believes catalyzes a cultural shift towards positive security outcomes and amplifies the "spin wheel effect" as compliance increases. 

We see that even in the lowest reporting rate environments, the top-5% fastest users report real phishing attacks within 71 seconds, and simulated phish in under a minute. Median dwell time improves by a factor of 1/3 over one year of training with reward-based learning methods that trigger dopamine when re-enforcing new behaviors. 

When looking at the Country data, I do not see any major surprises. China adopts threat reporting behavior about half as well as the top-performing  countries. I have lived and directed cybersecurity in China and I have dealt with the “losing face” culture, which likely drives the inactivity. People are too afraid of making a mistake to try something new and uncertain like reporting a threat, and that drives slower learning curves. Malcom Gladwell wrote about this extensively in his book, Outliers, citing the example of disproportionate airline crashes in cultures where co-pilots were afraid to speak out and cause their pilots to lose face. 

Cyber performance in industries where workers aren’t always glued to the keyboard, like Healthcare and Retail, are lagging behind. But even there, the TOP 5% still kill it. I can’t overstate how important this fact is: speed kills phishing incidents. This is what I’m talking about when it comes to actionable insights. 

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]Linking your threat feed to the SOC, and accelerating response to reported phishing attacks, is like a bullet-proof vest for the workforce. The “Fast 5” help the slower reporters and poorer performers dodge the bullet aimed at them. Moreover, the SOC can augment the quality of their work with AI assistance as reported threats are automatically categorized and incidents are elevated in realtime.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Petri Kuivala, CISO Advisor[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box] 

This data is extremely helpful when security leaders know how to turn insights into action. With human cyber-risk reduction, action starts with creating a psychologically safe environment , where individuals are allowed to make mistakes. People need to know that their surrounding teams will help them, and keep them safe as they grow their own cyber vigilance muscles.  

Regional resilience world map
Want to learn more?
Be sure to check out these articles recommended by the author:
Access the full report
Get more cybersecurity insights like this