74%
Of breaches involve a human element per Verizon DBIR 2025
3x
Reduction in phishing click rates after 90-day simulation program
82%
Of simulated phishing emails are opened within the first hour
12 months
Average time to measurable culture change with consistent program

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Security awareness training exists on a spectrum from compliance theater to genuine behavior change programs. Most organizations run the compliance version: one annual training module with a completion rate report delivered to the audit committee. This satisfies frameworks like ISO 27001 and SOC 2 but produces no measurable reduction in phishing susceptibility, credential sharing, or social engineering incidents.

This guide is for practitioners who want the behavior change version. The design choices that actually move the needle are different from the choices that satisfy auditors, and the metrics that prove effectiveness are different from completion percentages.

Phishing simulation design: frequency, targeting, and difficulty progression

Phishing simulations are the most evidence-backed component of a security awareness program. The research is consistent: organizations that run monthly simulations achieve click rate reductions of 60 to 70 percent within 12 months; organizations that run annual simulations see no statistically significant improvement.

Program design variables that determine effectiveness:

Frequency: Monthly is the minimum effective cadence. Weekly is appropriate for high-risk employee populations (executives, finance, HR). Annual simulations produce a brief awareness spike followed by rapid decay.

Difficulty calibration: Start with medium-difficulty templates (recognizable phishing indicators that require attention to spot) and increase difficulty as the population improves. Do not start with highly sophisticated simulations, a 90 percent click rate in month one is demoralizing and counterproductive. Do not stay at low difficulty permanently; trivially obvious simulations produce false confidence.

Targeting: Use your incident data to identify which departments have the highest susceptibility. Finance, HR, and executive assistants consistently show higher phishing click rates in most organizations, partly because their job functions require them to open attachments and follow payment-related links. Route more frequent and more difficult simulations to these groups.

Post-click training: The moment an employee clicks a simulated phishing link is the highest teachable moment in your program. Deliver a 90-second just-in-time training module immediately. This outperforms scheduled training by 3 to 5 times on retention metrics.

Content design: what employees actually need to know

Annual compliance training modules attempt to cover every security topic in 45 minutes. This is the wrong design. Breadth of coverage is inversely correlated with retention and behavior change. A program that teaches one concept deeply every month produces more behavior change than a program that covers thirty concepts once per year.

The highest-ROI topics for most organizational populations, in priority order:

  1. Recognizing phishing indicators: Sender address vs. display name mismatch, urgency language, unusual attachment types, hover-over URL inspection, lookalike domains. This single topic prevents more incidents than everything else combined.

  2. Credential hygiene: Password manager adoption, not reusing passwords across personal and work accounts, recognizing credential-harvesting fake login pages. A credential entered into a phishing site is compromised immediately; the employee often does not know it happened for weeks.

  3. Reporting behavior: The single most important cultural change is removing the stigma from reporting a click. An employee who clicked a phishing link and reports it immediately gives the security team a 30-to-120-minute window before credentials are used. An employee who does not report because they are embarrassed costs the organization days of undetected access. Your program must explicitly reward reporting.

  4. Social engineering via phone and text: Vishing (voice phishing) and smishing (SMS phishing) have higher success rates than email phishing in most simulations because employees apply less scrutiny to these channels. Include these attack types in your simulation and training rotation.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Metrics that measure behavior change versus compliance

Compliance metrics for security awareness training are: training completion rate, quiz pass rate, and certification count. These measure whether employees sat through training, not whether they changed behavior.

Behavior change metrics:

Phishing click rate (PCR): The percentage of simulation emails that result in a click, credential submission, or attachment open. Track month-over-month trend by department. Target: below 5 percent organization-wide within 12 months for a monthly simulation program.

Phishing report rate (PRR): The percentage of simulation emails reported to the security team via the phishing report button. A high report rate is as important as a low click rate. Target: above 60 percent of simulations reported within 30 minutes.

Repeat clicker rate: Employees who click simulations more than twice in a 90-day window need a different intervention than standard training. Track this cohort separately and implement escalating interventions: one-on-one coaching, elevated simulation frequency, or manager notification depending on your organizational culture and HR policies.

Real incident volume: Correlate your awareness program cadence against actual reported phishing incidents, credential compromises from identity monitoring, and help desk calls about suspicious emails. A functioning program should show a declining trend in real incidents over 12 to 24 months.

Escalation paths and the repeat-clicker problem

Every organization has a cohort of employees who click phishing simulations repeatedly regardless of training. The standard response, assigning more training modules, is ineffective for this population. Research on repeat clickers shows that the primary driver is not lack of knowledge but job pressure: employees who process high volumes of email under time pressure click at higher rates even when they know what to look for.

Effective interventions for repeat clickers:

Workflow accommodation: For employees in high-click-rate roles (finance, HR, executive support), implement email gateway controls that add visual indicators to external emails and hold attachments for sandbox analysis. This removes the burden of individual judgment for the most consequential emails.

One-on-one coaching: A 30-minute session with a security team member that walks the employee through a simulated phishing email and discusses their decision process is more effective than any online module. Most repeat clickers are willing to engage; the barrier is the security team's time.

Manager involvement: For employees who remain in the top repeat-clicker cohort after 90 days of intervention, a conversation involving their manager typically produces improvement. Frame it as a performance risk to the employee (a credential compromise can have personal and professional consequences) rather than as punishment.

The bottom line

Security awareness training produces measurable results only when it is designed around behavior change rather than compliance. Monthly simulations with immediate post-click training, a culture that rewards reporting, and escalating intervention for repeat clickers consistently outperform annual training modules on every metric that matters to the security team. Build the program for the behavior you want to change, not the audit finding you want to close.

Frequently asked questions

How often should we run phishing simulations?

Monthly is the minimum effective cadence for most organizations. Research consistently shows that monthly simulation programs achieve 60 to 70 percent click rate reductions within 12 months, while annual simulations produce no statistically significant improvement. High-risk employee populations (executives, finance, HR) benefit from weekly simulations with higher-difficulty templates.

What is a good phishing click rate benchmark?

Industry benchmarks from Proofpoint and KnowBe4 show that organizations without an active simulation program average 25 to 35 percent click rates on phishing simulations. After 90 days of monthly simulations with post-click training, the median organization achieves below 10 percent. After 12 months, mature programs reach below 5 percent. Track your organization's trend month-over-month rather than against industry benchmarks; your starting point and trajectory matter more than a static comparison.

Should we tell employees about phishing simulations in advance?

No. Advance notice of phishing simulations eliminates the behavior measurement function. Employees who know a simulation is coming are artificially vigilant and the click rate does not reflect real-world susceptibility. Instead, communicate the existence of an ongoing simulation program (so it is not a surprise that simulations happen) without disclosing specific timing or templates. This approach is consistent with most security awareness program standards and is ethically defensible as employees are notified the program exists.

What phishing simulation platform should I use?

The leading platforms are KnowBe4, Proofpoint Security Awareness Training, Cofense, and Mimecast. All four provide sufficient simulation templates and reporting for most organizations. The differentiating factors are: integration depth with your email gateway (for automated real-phish reporting workflows), the size and quality of the template library for your specific industry, and reporting granularity for repeat-clicker identification. Microsoft Defender for Office 365 Plan 2 includes Attack Simulator at no additional cost for M365 E5 licensees.

How do I get employees to report phishing instead of just deleting suspicious emails?

Three changes drive reporting behavior: (1) Install a one-click phishing report button in the email client (Outlook, Gmail) that sends the suspected email to your security team with one click; reporting must be easier than deleting. (2) Close the loop by sending a response email to employees who report correctly within 15 minutes confirming the report and whether it was a simulation or a real phish. (3) Celebrate reporting publicly: monthly team recognition for the department with the highest report rate outperforms any training module at driving cultural change.

How do I measure whether our security awareness program is actually working?

The primary metric is phishing click rate trend over 12 months, which should decline from baseline. Secondary metrics are phishing report rate (should increase), repeat-clicker cohort size (should shrink), and real-world incident volume correlated with program cadence. Completion rate is a compliance metric, not a behavior change metric. A program where 95 percent of employees complete the annual training but phishing click rates remain flat is not working regardless of the completion data.

Sources & references

  1. SANS Security Awareness Report 2025
  2. Proofpoint State of the Phish 2025
  3. NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.