This is an excerpt from the book, you can download the entire ebook here.

‍

Key takeaways

‍

Misleading metrics

‍

Fail rate alone is a misleading metric. Without simulated + real threat reporting metrics, phishing simulation fail rate is empty. It fails to accurately:

• Capture organizational resilience
• Predict real threat reporting
• Reflect employees' cyber self-defense skills

‍

Success rate rules. The frequency with which people report phishing simulations is the best:

• Indicator of individual security skill  
• Predictor of phishing breaches
• Metric to convey risk

‍

Fail rate becomes meaningful when placed within the larger context of phishing simulations that have been reported, missed, and failed, as well as real threats that have been reported.
Reporting threats – real and simulated – is the key to behavior change and skill acquisition

‍

Measuring true risk of a phishing breach can be achieved with:

• Success + Failure + Miss + Real threat reports
• Training engagement of over half the organization
• Frequent phishing simulations (12-36 per year)
• Adaptive learning technology; simulations get harder as the training and user skill levels progress

Measuring and rewarding Success ingrains good reporting behavior. High success rates are linked to high real threat reporting rates.

‍

Misses matter. The number of phishing simulations that employees miss strongly predict how likely they are to report or fall for real phishing attacks. Misses are bad.

‍

Who you are predicts how you’ll behave

‍

Training programs must factor in who employees are and be able to individualize content to fit their strengths and weaknesses.

Cybersecurity performance varies significantly depending on:

• Geography
• Job role
• Industry

Countries with the highest real threat reporting rates – Switzerland and Denmark – report threats 10 times more frequently than the lowest-reporting countries, China and Romania.

IT had the highest Success rate (63%); Sales had the lowest Success rate (54.1%).

The Public Policy category had the lowest phishing simulation failure rate, 1.2 %, and the highest success rate,  74%. Comparatively worse are the Dairy industry’s failure rate of 7.7%, and the Construction industry’s 47.5% Success rate.

‍

Good security training works

‍

When trained correctly, employees improve cybersecurity skills and report more real phishing threats. With the Hoxhunt phishing training:

• Organizational phishing simulation fail rates dropped from 14% to 4% globally
• Success rates – with Success measured as the reporting of a simulated phishing attack- – jumped from near-zero to between 52% - 74% of simulations based on industry
• Real threat reporting rate improved by nearly 70% from training baseline
• Real threat reporting accuracy continuously improved from near-zero to 60%
• Engagement rate soared to 88.75% of employees onboarded to the Hoxhunt training
  ‍

‍

‍

‍