The Buyer's Guide to Phishing Training

In this guide, we will cover some of the main reasons why phishing training is not always effective within the organization. We will also highlight the main criteria you should consider when making your decision about which modern phishing training solution meets your organization´s needs and positively impacts and lowers your risk profile.

Download PDF
Post hero image

Criteria to look for in a modern phishing training

Major factors of differentiation in phishing training can be linked to the following criteria: user experience, personalization, reporting metrics, behavior change, and automation.

These criteria can help you assess your options in buying a human-first phishing training that can help you reduce risk in your organization.

User Experience

Employees don’t like doing tasks that interrupt their normal workflow for a significant period of time. Training is usually mandatory, but you can incorporate training into an employee’s regular workflow without stopping productivity for hours at a time. People have trouble focusing on content that is longer than 5-7 minutes, and you want to be respectful of your employee’s time and utilize it efficiently to maximize learning.

Small teachable moments to show learners how to improve in the future based on their past behavior can be an effective method to train and communicate to employees about security awareness topics.

Tips to improve employee experience


If employees don’t feel like the training is relevant to them, then they will lose interest fast. This is why you should compare a vendor’s level of personalization applied in their phishing training, in terms of employee’s cyber knowledge (IQ), role, department, and language of training content.

Not every employee has the same level of cyber knowledge, and everyone has a different background when it comes to cybersecurity. This is why phishing training can’t be administered in the same way to everyone.

Personalized learning content

Reporting Metrics

Many organizations and vendors track the reporting rates of phishing simulations, but this metric needs to be considered carefully. An organization may be using very simple simulations or very difficult challenges, skewing results to one side of the bell curve or the other. If everyone received the simulation at the same time, it is likely some employees working in an open office setting will also give their coworkers a hint not to click on the fake campaign.

This can lead to a false sense of security if your training is too easily spotted. Passing a few tests per year does not show your organization is prepared how to respond to sophisticated modern attacks.

Reporting metrics

Behavior change

One of the main pillars of behavior change is reinforcement, and continuous reinforcement and repetition will transform your behavior into a habit. In security awareness training, the behavior change that the employer wants is to teach employees how to react appropriately every time they receive potentially malicious content. The other objective is for employees to understand why reporting threats is important to the organization.

Behavior change

Automation to enable security teams

Automation is a key driver in productivity improvements and cost savings. This is why you should consider the impact automation could make on your security team in regard to phishing training.

The level of automation can also play a large part in how personalized you can make your training content, as sending out 36-48 personalized emails per employee each year can add up to a lot of work hours.


How to research your vendors?

When searching for any security vendor, it is important to do some research, not only on the vendor’s website, but also to read up on thoughts from peers and community members.

We suggest review websites such as G2, which shows unbiased reviews on user satisfaction with different products and software. We also suggest that you take a look at trending vendors in the industry and compare what they are doing differently.

Questions to ask prospective vendors:

Before you meet with potential vendors, it’s good to create a list of questions that matter for you. It will help you compare vendors upon the same criteria and have all the answers you need to make a decision. We gathered the most frequently asked questions to help you brainstorm.

User experience

1. How do you encourage employees to participate in the training?
2. How much time does the training take out of an employee’s regular work week?


3. What language options do you have for delivering training content and support?
4. What happens when an employee fails a phishing simulation once or multiple times?
5. Does everyone receive the same training at the same time or is training personalized in any way to employees?
6. How often is the training content updated? Is content updated in each language regularly?

Reporting Metrics

7. What type of progression can you expect to see after 1 month of training, 6 months, and 1 year (reporting rates, participation rates, etc.)?
8. What KPIs do you measure? What are the reporting capabilities?

Behavior Change

9. How frequent do you send simulations per year to each employee or how frequent do you recommend (for solutions that offer templates)?


10. About how many manual hours would be required from our security team to send out a campaign for X number of employees? (100, 10,000 or 20,000)
11. Where does malicious content (phish emails) go once it has been reported by an employee?

Implementation of Training and Technical Capabilities

12. What are the steps of the onboarding process?
13. Do I receive any help with communication before the roll out of the new phishing training?
14. Do you have threat reporting tools?
15. Can the training be integrated with other tools? e.g. Microsoft ATP?
16. Does it work on all devices? Which devices? Which email clients?
17. How does the pricing work? Do you pay for each element of training separately or is it a cost per employee?

Good to remember

No business is too small to get caught up in phishing! Scammers increasingly target small businesses, especially that more and more employees work remotely.

About Hoxhunt

Hoxhunt empowers your employees to shield your organization with a human-first approach to phishing training. We do this with an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Read more about implementing a phishing training program

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.