Episode #12

Many security awareness programs eventually hit a plateau.

Training completion rates look healthy. Phishing numbers aren’t terrible. But progress stalls. Engagement drops. And leadership starts asking a difficult question: are we actually changing behavior?

In this episode, Eliot is joined by Anthony Davis, a security awareness leader with more than a decade of experience building and running programs across major UK retailers. Together they unpack why awareness programs plateau and what practitioners can do to restart momentum.

They explore the warning signs that a program has gone stale, why compliance-driven training often fails to change behavior, and how awareness teams can move beyond annual training toward continuous engagement and real behavioral metrics.

If your awareness program feels stuck – or your metrics haven’t moved in months – this episode offers a practical playbook for getting things moving again.

What you’ll learn in this episode:

• How to recognize when your security awareness program has plateaued
• Why high training completion rates don’t necessarily mean behavior change
• The biggest design flaws that cause awareness programs to stall
• Why phishing reporting is a stronger metric than completion rates
• How to connect awareness programs with SOC insights and real threat data
• Why annual training alone rarely drives lasting behavior change
• How storytelling and relevant examples improve engagement
• Practical steps to restart momentum in a stagnant awareness program

Timestamps:
(01:03) Introducing Anthony Davis and his background in awareness programs
(02:25) Early signals your program has stopped improving
(04:00) How long to wait before intervening when metrics stall
(05:05) Is a plateau caused by culture, content, or systems?
(09:20) Why engagement and communication frequency matter
(15:10) Behavior change vs policy and compliance training
(30:00) Why mandatory annual training often fails to change behavior
(39:05) Is annual security awareness training fundamentally flawed?
(52:00) What high completion rates but low behavior change really mean
(54:20) Why phishing reporting is one of the best behavior metrics
(57:00) Turning real threats into targeted awareness messaging
(59:00) Connecting awareness programs with SOC insights
(01:01:30) One action every awareness team should take to break a plateau

Host links:

• Eliot Baker: ⁠⁠https://fi.linkedin.com/in/eliotebaker⁠⁠
• Anthony Davis: https://www.linkedin.com/in/infosecant

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.