Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Hoxhunt: Uber's Award-Winning Human Risk Management Program

Hoxhunt
07/13/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Conference and Awards. And I'm thrilled today to be joined by Jason Harper. He is a security manager with Uber. And today we're going to be discussing security awareness among some other topics. So let's jump right in. First, tell me a little bit more about you. Tell me about you and the Beyond the Checkbox program at Uber. I'm happy to. Yeah, so I've been working in cybersecurity as a career for a really embarrassingly long time, probably more than 30 years. And today at Uber, I'm responsible for a number of programs, both on the engineering side and the non-engineering side. And the one we're talking about today is in regards to human risk management, which really just comes down to how do we help our personnel cross the globe, understand the risks that they take, help them manage it effectively without really turning them into cybersecurity and risk experts themselves. Yeah. So would you call this a human risk management program? I would, because the primary focus here is behaviors of the personnel themselves. Uber, like a lot of companies, has a variety of types of job roles. You could be highly technical or not technical at all and still be very successful. And we don't try to lean into one job type or another. So there are all types of choices people make in the execution of their roles, and we want to meet them where they are. So we're absolutely managing the behaviors and human risk element of each job role. Oh, yeah. And tell me what kind of problem you were trying to solve with launching this program. So as someone who's worked in a lot of large corporations myself, even before I had a role like this, I had to take training. This is usually a, I mean, and not to steal my own title here, but it's really a check the box type program. We have compliance obligations to meet as an organization for everyone to be trained in cybersecurity and risk. Generally, what I've seen is, you know, once that's done, everyone forgets about it and they go on with what they're doing. And the type of people at Uber and in many corporations is, you know, they're very smart. They're very savvy. They know what they're being measured on and how they deliver their program. And they will take the shortest path to that. So the problem we're trying to solve is how do we encourage personnel to make the right choices as it comes to their everyday job and still sort of play within the bounds of the rules of the organization. And why did you select Hawks Hunt to help you try to solve the issues? So we were looking for a partner that would enable us to deliver a few things. One of them is adaptive phishing. A previous, we were doing this before, it was very quarterly based. It was a, it was very manual to do. So with Hawks Hunt, we're able to deliver adaptive phishing. So for us, that's as you do better, the phishing gets harder. As you do worse, it gets a little easier, follows up automatically with training for you. Also, I have a very strong preference and philosophy around micro-training. So typically, corporate training looks like a multi-module, 30 to 40 minutes, do it once a year. It can just be very dull. So Hawks Hunt enables us to deliver three to five minute training at the time that we detect a particular behavior. And we can do this very, very regularly. So we believe investing in smaller training opportunities, sort of snackable training opportunities, is a better path. And then finally, it allowed us to gamify the security awareness. So people get badges and awards and, you know, they feel good after taking the training. What results did you find most impressive about it? So, I mean, I would say the most subjective one is people responded positively to us without us asking. So I would get emails or Slack messages about how great they thought the training was and how because of its opportunistic nature, when they did something, it was right on time and it made sense to them, right? So we got lots of really positive results. I can't speak for all the awareness people out in the world, but it's very unusual to get very positive results for making people take training. Additionally, there's a lot of apathy in the corporate world for training itself and for the results of it. And we found that once we were really able to measure response rates and engagement rates with Hawks Hunt, we could see the numbers going up. And that told us that people were much happier to engage with it. They found it valuable. We could see it in the numbers from the platform itself. And even in just phishing reporting rates, I mean, you have a couple of choices, right? You can delete it. You can ignore it. You can click it. But getting actually people to report it has been difficult for us. So we saw our numbers go up maybe 3x, which is just incredible for us. In addition, we were able to tie what we were alerting people about behaviorally to our telemetry. So we could actually see when behaviors were moving in a positive direction. So if we were alerting people or nudging people about use of, say, SaaS services that we didn't really want them to use, we could see at an individual level, a group level and an aggregate level, that number go down. And so to us, that was a very clear indicator that the training we were doing and the integration with Hawks Hunt was working. Now, what kind of feedback have you gotten from executive leadership about this program? The one constant refrain that we hear is that they really like the empathetic approach we take to training and they like the fact that it is small and frequent enough to keep the topic at the top of their mind, but not so frequent that we're taking away from the work that they're doing and the focus they have from their work. So by keeping the training central to what it is that they're doing, so for developers or for marketing people, salespeople, we really do try to target, you know, what do these folks need to see and hear on a regular basis. So that specificity has really worked in our benefit. What about, you know, you mentioned some feedback from employees that was surprising and kind of out of the blue. Any other feedback from employees or even, you know, from other security team members on the program? You know, it does become kind of a meme inside of Uber. And what we notice is, and I think this is across the board, you know, enterprises send lots of emails for people to do things and they really don't look much different than phishing emails. And so, you know, in our in our Slack channels, we constantly see messages marked with a Hawks Hunt emoji because everyone is now suspicious. And I don't think it was our intent to make people very paranoid, but it is really wonderful to see that people are taking a second look at everything and really asking the question out loud, am I being phished? Like, is this something I need to worry about? And we jump in, of course, and we tell them, you know, we don't leave them panicked for too long. But before, we would never see anything like this. People would just click it, ignore it, delete it, whatever. But it's just really great to see the engagement. Who would you recommend Hawks Hunt to? Everybody, really. If I had a peer who was looking for a human risk management platform that they could start their program on or build an advanced program on, I would recommend Hawks Hunt. Great. All right. Well, Jason Harper with Uber, thank you for joining us today. Thank you. It was great. And thanks to you for watching. I'm Joan Goodchild with CSO. We'll see you next time.

TL;DR

  • Uber replaced annual compliance training with an adaptive Human Risk Management program using Hoxhunt, delivering personalized phishing simulations and microlearning triggered by real-time behavior signals.
  • Phishing reporting rates increased approximately 3x after adopting Hoxhunt, with measurable improvements in employee engagement and a documented reduction in risky behaviors tracked through behavioral telemetry.
  • Snackable three-to-five minute training modules delivered at the moment of a detected behavior proved far more effective than traditional 30-to-40 minute annual training marathons for driving lasting behavior change.

Summary

In this interview recorded at the CSO Cybersecurity Conference and Awards in Nashville, Uber Sr. Security Engineering Manager Jason Harper describes how Uber replaced its traditional compliance-driven security awareness program with a behavior-focused Human Risk Management (HRM) approach powered by Hoxhunt. Harper explains that legacy annual training — the classic "check-the-box" model — fails because employees, however smart, simply take the shortest path to completion and quickly forget what they learned. Uber's new model centers on adaptive phishing simulations that automatically adjust difficulty based on individual performance, paired with snackable three-to-five minute microlearning modules delivered at the precise moment a risky behavior is detected. The program also incorporates gamification through badges and awards to drive positive engagement. The results have been striking: phishing reporting rates increased approximately 3x, employee engagement scores rose measurably on the Hoxhunt platform, and behavioral telemetry confirmed that targeted nudges were producing real reductions in unwanted behaviors — such as unsanctioned SaaS usage — at the individual, group, and aggregate level. Perhaps most telling, employees began voluntarily flagging suspicious internal emails in Slack using a Hoxhunt emoji, a cultural shift Harper describes as unexpected but deeply encouraging. Executive leadership praised the program's empathetic, role-specific approach, which keeps security top of mind without disrupting productivity.

Chapters

0:00 - Introduction & Jason Harper Background
1:04 - Defining Human Risk Management
1:50 - The Problem with Check-the-Box Training
2:54 - Why Uber Chose Hoxhunt
4:15 - Program Results and Metrics
6:13 - Executive and Employee Feedback

Key Quotes

2:04 "It's really a check the box type program. We have compliance obligations to meet as an organization for everyone to be trained in cybersecurity and risk."
3:43 "Hoxhunt enables us to deliver three to five minute training at the time that we detect a particular behavior. And we can do this very, very regularly."
4:20 "The most subjective one is people responded positively to us without us asking. So I would get emails or Slack messages about how great they thought the training was."
5:30 "We saw our numbers go up maybe 3x, which is just incredible for us."
7:41 "I don't think it was our intent to make people very paranoid, but it is really wonderful to see that people are taking a second look at everything and really asking the question out loud, am I being phished? ..."

FAQ

What makes Uber's Human Risk Management program different from traditional security awareness training?

Rather than requiring all employees to complete the same annual training module, Uber's program uses adaptive phishing simulations that adjust difficulty based on individual performance, delivers three-to-five minute microlearning at the moment a risky behavior is detected, and uses behavioral telemetry to measure real-world behavior change — not just completion rates.

How does Hoxhunt support Uber's approach to role-specific training?

Hoxhunt enables Uber to target training content based on job role — developers, marketers, and salespeople each receive training relevant to their specific risk profile. The platform also automates follow-up training after phishing simulation failures and tracks engagement metrics that help Uber demonstrate program effectiveness to leadership.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Threat Intelligence
  • Best Practices
  • Customer Story
  • Getting Started
  • Human Risk Management
  • Security Awareness Training
  • Adaptive Phishing Simulations
  • Behavioral Telemetry
  • Microlearning
  • Employee Behavior Change
  • Phishing Reporting
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Hoxhunt: Uber's Award-Winning Human Risk Management Program

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Caliber Security Team for Lasting Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-caliber-security-team-for-lasting-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies in Data Protection and Privacy Management
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Caliber Security Team for Lasting Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies in Data Protection and Privacy Management

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version