Episode #5

“We have 100% completion… but nothing’s changed.”

It’s a complaint security leaders are making louder and more often. Completion rates are being called “cosmetic,” “misleading,” and “just optics” – metrics that check the compliance box but fail to reduce real human risk.

In this episode, host Eliot Baker sits down with Maxime Cartier, Head of Human Risk at Hoxhunt, to unpack what organizations are getting wrong about measurement and what the most mature programs are doing instead.

Drawing from Maxime’s recent insights at the SANS Security Awareness Summit, this conversation cuts through outdated KPIs and explores what actually signals behavioral change. You’ll hear what practitioners are building in the real world, how to bring leadership along without losing them in complexity, and how to measure success beyond tick-box numbers.

This isn’t theoretical – it’s tactical guidance from a field that’s evolving fast.

What you’ll learn in this episode:

• Why 100% training completion doesn’t mean behavior has changed

• How to spot “vanity metrics” and what to replace them with

• Why security programs are borrowing measurement models from public health and road safety

• What early signals suggest real change (even before risk metrics improve)

• How to make behavioral metrics land with your board, not just your CISO

Timestamps:

Resources:

• Our guide to the essential metrics you should be measuring: https://hoxhunt.com/blog/4-essential-phishing-metrics
• Hoxhunt's HRM playbook: https://hoxhunt.com/guide/human-risk-management-playbook
• Bird & Bird case study: https://hoxhunt.com/case-studies/bird-bird-cybersecurity-rules-in-favor-of-the-hoxhunt-human-risk-management-platform

Host links:

Eliot Baker:⁠⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠⁠

Maxime Cartier:⁠ ⁠https://www.linkedin.com/in/maximecartier

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠Hoxhunt⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.