This is an excerpt from the book, you can download the entire ebook here.
Fail rate alone is a misleading metric. Without simulated + real threat reporting metrics, phishing simulation fail rate is empty. It fails to accurately:
Success rate rules. The frequency with which people report phishing simulations is the best:
Fail rate becomes meaningful when placed within the larger context of phishing simulations that have been reported, missed, and failed, as well as real threats that have been reported.
Reporting threats – real and simulated – is the key to behavior change and skill acquisition
Measuring true risk of a phishing breach can be achieved with:
Measuring and rewarding Success ingrains good reporting behavior. High success rates are linked to high real threat reporting rates.
Misses matter. The number of phishing simulations that employees miss strongly predict how likely they are to report or fall for real phishing attacks. Misses are bad.
Training programs must factor in who employees are and be able to individualize content to fit their strengths and weaknesses.
Cybersecurity performance varies significantly depending on:
Countries with the highest real threat reporting rates – Switzerland and Denmark – report threats 10 times more frequently than the lowest-reporting countries, China and Romania.
IT had the highest Success rate (63%); Sales had the lowest Success rate (54.1%).
The Public Policy category had the lowest phishing simulation failure rate, 1.2 %, and the highest success rate, 74%. Comparatively worse are the Dairy industry’s failure rate of 7.7%, and the Construction industry’s 47.5% Success rate.
When trained correctly, employees improve cybersecurity skills and report more real phishing threats. With the Hoxhunt phishing training: