Episode #11

Using real breach stories in security training works… but only if you do it ethically.

Real incidents make threats feel concrete, cut through “this would never happen to me” thinking, and drive behavior change. But they also carry real risk: victim-blaming, fearmongering, reputational harm, and loss of trust if handled poorly.

In this episode, Noora is joined by David Badanes (Human Risk Management advisor) to unpack ethical security storytelling: how to use real breaches responsibly, where the line is, and how awareness teams can turn incidents into learning without becoming the villain.

They break down why real stories outperform generic examples, what not to include when telling breach stories, how to operationalize ethical review with limited resources, and how empathy is the key to changing security behavior.

What you’ll learn in this episode:

• Why real breach stories are more effective than made-up examples in security training

• Where ethical security storytelling goes wrong and how to avoid victim blaming

• How to decide whether a real breach is appropriate to use in training

• What awareness managers should include (and exclude) when telling real incident stories

• How to operationalize ethical review without heavy legal or HR overhead

• Why empathy drives better security behavior than fear-based messaging

• How to measure whether ethical storytelling is actually changing outcomes

• How cultural context affects cybersecurity storytelling in global organizations

Timestamps:

(00:00) Why use real breach stories in security awareness training at all?
(00:15) How do real incidents change employee behavior better than generic warnings?(01:18) Who is David Badanes and why ethical storytelling matters now(02:21) Why do real breach stories work better than fictional examples?(03:40) What are the ethical risks of using real cyber incidents in training?(05:03) What does ethical security storytelling actually look like?(08:27) How should awareness managers choose what parts of a breach to include?(09:24) How do you operationalize ethical review with limited time and resources?(27:10) How does culture change what’s considered ethical security storytelling?(31:36) What good ethical storytelling achieves and what it avoids

Host links:

• Noora Ahmed-Moshe: https://www.linkedin.com/in/noora-ahmed-moshe
• David Badanes: ⁠https://www.linkedin.com/in/dbadanes

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.