Behavioral Cybersecurity Statistics

Which industries and job roles are most at risk for phishing? To find out, we analyzed 24,7 million phishing simulations across 100+ countries.

Download PDF
Post hero image

This is an excerpt from the book, you can download the entire ebook here.

Key takeaways

Misleading metrics

Fail rate alone is a misleading metric. Without simulated + real threat reporting metrics, phishing simulation fail rate is empty. It fails to accurately:

  • Capture organizational resilience
  • Predict real threat reporting
  • Reflect employees' cyber self-defense skills

Success rate rules. The frequency with which people report phishing simulations is the best:

  • Indicator of individual security skill  
  • Predictor of phishing breaches
  • Metric to convey risk

Fail rate becomes meaningful when placed within the larger context of phishing simulations that have been reported, missed, and failed, as well as real threats that have been reported.
Reporting threats – real and simulated – is the key to behavior change and skill acquisition

Measuring true risk of a phishing breach can be achieved with:

  • Success + Failure + Miss + Real threat reports
  • Training engagement of over half the organization
  • Frequent phishing simulations (12-36 per year)
  • Adaptive learning technology; simulations get harder as the training and user skill levels progress
Measuring and rewarding Success ingrains good reporting behavior. High success rates are linked to high real threat reporting rates.

Misses matter. The number of phishing simulations that employees miss strongly predict how likely they are to report or fall for real phishing attacks. Misses are bad.

Who you are predicts how you’ll behave

Training programs must factor in who employees are and be able to individualize content to fit their strengths and weaknesses.

Cybersecurity performance varies significantly depending on:

  • Geography
  • Job role
  • Industry

Countries with the highest real threat reporting rates – Switzerland and Denmark – report threats 10 times more frequently than the lowest-reporting countries, China and Romania.

IT had the highest Success rate (63%); Sales had the lowest Success rate (54.1%).

The Public Policy category had the lowest phishing simulation failure rate, 1.2 %, and the highest success rate,  74%. Comparatively worse are the Dairy industry’s failure rate of 7.7%, and the Construction industry’s 47.5% Success rate.

Good security training works

When trained correctly, employees improve cybersecurity skills and report more real phishing threats. With the Hoxhunt phishing training:

  • Organizational phishing simulation fail rates dropped from 14% to 4% globally
  • Success rates – with Success measured as the reporting of a simulated phishing attack- – jumped from near-zero to between 52% - 74% of simulations based on industry
  • Real threat reporting rate improved by nearly 70% from training baseline
  • Real threat reporting accuracy continuously improved from near-zero to 60%
  • Engagement rate soared to 88.75% of employees onboarded to the Hoxhunt training

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.