As security leaders we develop security and awareness training surrounding phishing; however, we are told we can only expect to get down to a 3% click rate. 3% is not low enough and I am looking for ideas on how to drive down the click rate to 1% or less. Has anyone had great success with a technique they have used to drive down the click rate?

4.9k views13 Comments

Sort By:

Oldest

CIO in Energy and Utilities8 months ago

Assuming that "click rate" refers to the number of people clicking on a phishing simulation, we are currently observing a rate of 5-9%.

While this falls short of our satisfaction, we acknowledge that addressing this is an ongoing effort. Phishing techniques evolve over time, and users are gradually becoming more educated, contributing to the dynamic nature of this challenge and, probably, never reducing the rate to 1% or lower.

1 Reply

CISO in Insurance (except health)8 months ago

Thank you

Director of IT in Finance (non-banking)8 months ago

Our click rate runs about 2% normally. We are a small agency with about 250 so just a few who bite can have a big impact on our rate. We test monthly and publish the results across the whole agency and explain what a 2% click rate equates to in number of compromised users/computers and what a bad actor would then have access to. This seems to hit home and helps keep our rate low.

1 1 Reply

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

CISO in Insurance (except health)8 months ago

Thank you

Senior Information Security Manager in Software8 months ago

Those figures seem to be in line with industry averages.

Getting to 1% or less requires massive amounts of training and technology. Also, it would require people to spend a lot more time reviewing each email. If you really want to get <1%, give each person an hour less work daily to deal with the time needed to do that.

1 Reply

CISO in Insurance (except health)8 months ago

Thank you

CISO in Manufacturing8 months ago

We should not be looking at just reducing the click rate beyond a specific %, but to make simulations as good as the real phishing we see out there with increased sophistication, specifically tailored for individuals and coming from trusted accounts that were compromised. AI also makes creating good phishing easier for attackers. So the goal is to create a teachable moment for someone who clicks and provide proper after action (i.e. training, performance objective, etc). Creating specific policies and increasing the consequences after repeated clicks also helps.

1 Reply

CISO in Insurance (except health)7 months ago

Thank you

CISO in Telecommunication8 months ago

It's all about raising the awareness. Two things you can do, 1) do a tricky phishing test that drive up the failure rate to 30%, then everyone will understand they are not good enough. 2) Besides focusing on the failure rate, try marking the report rate. Saw a phishing email and reporting raised the awareness to another level.

1 Reply

CISO in Insurance (except health)7 months ago

Thank you

Content you might like

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & Collaboration Security & GRC Device Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results

2.4k views2 Upvotes

When staffing cybersecurity roles, have you had success with hiring candidates who lack technical experience? If so, what made that strategy effective?

Talent Sourcing & Hiring Security & GRC Security Strategy & Roadmap

CISO in Energy and Utilities9 days ago

Mentorship is crucial, especially when leading a relatively new team. I've intentionally built a team where nearly 80% are under 35. I sought out young, hungry, and energetic individuals who bring fresh perspectives and a ...read more

170 views1 Upvote1 Comment

How do you see the CISOs role in building trust across the business?

Security & GRC Security Strategy & Roadmap Business Relationships

CISO13 days ago

CISOs play a crucial role in organizations, as data and information protection falls under their responsibility. Building trust across the organization is essential for maintaining a strong cybersecurity posture.

Collaboration ...read more

Are below the operating system vulnerabilities a top concern for your organization?

Engineering Governance, Risk & Compliance Security & GRC+1 more

Yes79%

No20%

5k views3 Comments

What tips or advice can you offer for improving collaboration between historically siloed security operations and IT teams? How can you begin building bridges between them to have better teamwork on things like vulnerability remediation?

People & Leadership IT Strategy & Roadmap Security & GRC

CIO in Educationa month ago

I'm going to highly recommend Keith Ferrazzi's new book - Never Lead Alone - the book will explain how to shift from leadership to teamship. People need to be candid and accountable to and with each other as a start, and ...read more