What's a Good Phishing Simulation Click Rate? It's Not What You Think
Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.
You've just launched a phishing simulation campaign as part of your organization's security awareness program. The results are in: 5% of employees clicked the link. Your CISO wants to know: "Is that good? What's a good click rate for our phishing simulation?"
It's the question every security professional gets asked, and most are searching for that magic number—that universal benchmark that tells them their security awareness program is working. But here's the uncomfortable truth: focusing on a single percentage is not just misguided—it's potentially dangerous.
Consider this real-world scenario from a cybersecurity professional: "Currently engaged with a client whose CEO entered their credentials seven times because they really wanted that Christmas discount. And that same CEO is currently refusing to complete any sort of awareness training." (Source)
This anecdote powerfully illustrates that not all clicks are created equal. A 5% click rate might sound acceptable until you realize it includes your CFO, who has the authority to transfer millions of dollars, or your systems administrator with the keys to your entire network.
A truly effective security awareness program goes beyond simplistic metrics to measure context, risk, and behavioral change over time. As one security professional aptly put it, success is about "learning from the subtleties, not just accumulating clicks."
The Click Rate Fallacy: Why a "Good" Score Can Be a Lie
Organizations often celebrate low click rates as evidence of effective security awareness. But this single-minded focus creates several dangerous blind spots:
The Illusion of Engagement
A low click-through rate might not signal success at all. It could mean employees are simply ignoring all suspicious emails—including legitimate ones that look unusual. This lack of threat recognition means they're not reporting potential threats, creating a "false sense of security" for leadership (Source).
When employees delete suspicious emails without reporting them, bad actors gain critical dwell time to exploit vulnerabilities elsewhere in your organization.
The Manipulability of Metrics
Security teams can easily game their own scores. As pointed out by Cybeready, teams can misleadingly "improve" click rates by starting with tough simulations and then making them progressively easier (Source).
This manipulation creates an illusion of improvement while actually decreasing security resilience. As one security professional notes, "if you're getting a response under 2%, your lures are probably too easy" (Source). Easy simulations fail to prepare users for the sophisticated targeted phishing attacks they'll face from determined threat actors.
Creating the Wrong Culture
An overemphasis on "not clicking" fosters a culture of fear and avoidance, rather than a proactive culture of reporting. The goal isn't just to avoid a trap but to help the security team identify and disarm it.
When employees fear punishment for clicking in simulations, they're less likely to report when they make a mistake in real life—which is exactly when reporting is most critical for incident response.
Context is King: A CEO's Click vs. an Intern's
Risk is not evenly distributed across an organization. When evaluating phishing simulation results, context matters more than raw numbers.
The High-Value Target Problem
A CEO clicking a phishing link seven times poses a catastrophic risk compared to ten low-access users clicking once. Executives have access to sensitive data, financial controls, and strategic plans, making them prime targets for "whale phishing" (Source).
As one security professional bluntly stated: "I had a CISO of a hospital fail every simulation and enter credentials then ask for his name to be removed from the results because 'he can't lead his team if his workers don't think he's competent.'" This exemplifies how leadership vulnerability creates both security and cultural risks.
Role-Based Threats: Whales Gonna Whale
Different roles face different threats. Finance departments are targeted with invoice fraud, HR with fake resumes containing malware, and executives with sophisticated, personalized lures. This is why role-based phishing simulations that mirror these real-life scenarios are more effective and engaging (Source).
The concept "whales gonna whale" acknowledges that high-value targets (the "whales") receive disproportionately more sophisticated and persistent phishing attempts. They require specialized security policy attention and leadership training beyond what's provided to general staff.
The Leadership Blind Spot
Executives are often the weakest link in the security chain. Research indicates they are more susceptible to phishing attacks, with one study finding that senior managers are actually more likely to fall for phishing than regular employees (Source).
This vulnerability is compounded by cultural issues—executives may feel they're "too busy" for training or that security rules don't apply to them. When credential harvesting attempts succeed against leadership, the impact is exponentially greater.
Metrics That Actually Build Resilience
Instead of obsessing over click rates, forward-thinking security teams focus on metrics that provide deeper insights into organizational security posture:
Phishing Reporting Rate
This is the true measure of a healthy security culture. It shows employees are not just avoiding threats but actively participating in defense. Industry reporting rates typically range from 9% to 29% (Source). Your goal should be to see this rate increase over time.
A high reporting rate means your employees have transformed from potential victims into an active security layer. When an actual attack occurs, early reporting can dramatically reduce the impact.
Credential Submission Rate
This is the metric that truly matters for risk. As one security professional put it, "The only proper metric is number of entered credentials" (Source).
A click merely opens a door; credential submission is the theft. Reducing credential submissions from 15% to 3% represents a significant reduction in actual risk (Source). This metric directly correlates with the success rate bad actors would have with real phishing attacks.
Phishing Dwell Time
This measures the time between an employee receiving a phishing email and reporting it. A shorter dwell time means faster threat identification and containment. Ideally, organizations should aim to reduce dwell time by 50% or more through effective user education (Source).
In real attacks, reducing dwell time from hours to minutes can mean the difference between a minor incident and a major breach requiring disclosure to regulators and customers.
Repeat Offender / "Serial Clicker" Rate
This metric identifies the small subset of users who consistently fail simulations. Instead of tracking the overall average, focus on this high-risk group. This allows for targeted, 1-on-1 coaching for individuals in key roles.
As one practitioner noted, there is "a lot more value in 1:1 coaching for a person in a key role (such as authority to transfer funds) than trying to eke out another 1% average for the whole org" (Source).
Reducing the repeat offender rate from 24% to 5% demonstrates effective, targeted training (Source) and addresses the users who pose the greatest ongoing risk.
A Practical Framework for Risk-Based Evaluation
So how do you move beyond simplistic click rates to a more nuanced understanding of phishing risk? Here's a practical approach:
The Factor-Based Weighting System (FBWS)
This system provides a simple, customizable alternative to complex analytical models for assessing employee risk (Source). It considers multiple factors that influence an employee's vulnerability to phishing attacks and their potential impact on the organization if compromised.
Key Factors for Scoring
Each employee is assigned points based on five key factors:
1. Employee Role & Privilege:
- Low Privilege: 10 points
- Medium Privilege: 20 points
- High Privilege: 30 points
2. Behavioral Data (Simulation Performance):
- Never clicked: 10 points
- Clicked 1 link: 15 points
- Clicked 2+ links: 20 points
3. Training Compliance:
- Completed and passed training: 10 points
- Completed but failed: 20 points
- Never completed: 30 points
4. Access to Sensitive Data:
- No access: 10 points
- Limited access: 20 points
- Full access: 30 points
5. Regional & Compliance Risk (based on phishing prevalence):
- Low-risk: 10 points
- Medium-risk: 20 points
- High-risk: 30 points
Putting it Together
Calculate the total risk score by summing the weighted scores for each factor. This creates a personalized risk profile that properly contextualizes click behavior:
| Employee Name | Role/Privilege | Behavioral Data | Training Compliance | Access to Sensitive Data | Region Compliance Risk | Total Risk Score | Risk Level |
|---|---|---|---|---|---|---|---|
| John Smith | High (30) | Clicked on 2 links (20) | Completed but failed (20) | Full access (30) | High risk region (30) | 130 | High |
| Sarah Brown | Medium (20) | Clicked on 1 link (15) | Completed and passed (10) | Limited access (20) | Medium risk region (20) | 85 | Medium |
| Mark Johnson | Low (10) | Never clicked (10) | Completed and passed (10) | No access (10) | Low risk region (10) | 40 | Low |
This framework makes it immediately clear why focusing on an organization-wide click rate is inadequate. John Smith's behavior presents significantly more risk than Mark Johnson's, even though both would register as "1 employee" in a typical click rate calculation.
From Compliance to Culture: The Path Forward
Traditional phishing simulations often focus on compliance—checking a box for cyber insurance requirements or security certifications. But true security resilience comes from building a security culture where:
- Employees at all levels understand the risks and their role in organizational defense
- High-risk individuals receive targeted, personalized training
- Leadership models good security behavior
- Reporting suspicious activity is rewarded, not punished
- Metrics focus on risk reduction rather than arbitrary goals
The journey from a compliance-focused to a culture-focused approach requires shifting from simplistic click rates to nuanced, risk-based metrics that acknowledge the reality: all clicks are not created equal.
Take Action Today
Here are three immediate steps you can take to improve your phishing simulation program:
- Implement risk-based metrics: Move beyond click rates to track reporting rates, credential submissions, and dwell time.
- Develop targeted training: Create specialized simulations for finance, HR, and executive teams that mimic the specific threats they face.
- Identify and coach high-risk users: Provide one-on-one training for repeat offenders in sensitive positions instead of focusing exclusively on organization-wide averages.
Remember, the goal of phishing simulations isn't to trick employees or achieve some arbitrary benchmark—it's to build a human firewall that complements your technical defenses. By focusing on context, culture, and continuous improvement rather than a single percentage, you'll develop true resilience against the sophisticated social engineering attacks that remain the primary vector for today's most damaging breaches.
After all, when bad actors launch their next targeted phishing campaign, they won't care about your click rate percentage—they'll care about whether they can harvest credentials from the right person with the right access to achieve their objectives. Shouldn't your metrics reflect that reality?
Frequently Asked Questions
What is a good phishing simulation click rate?
There is no universal "good" click rate for phishing simulations. A strong indicator of success is a click rate that trends downward over time while your phishing reporting rate trends upward. Focusing on a single percentage is misleading because it ignores critical context, such as who clicked the link. A 1% click rate that includes your CFO is far more dangerous than a 5% rate composed of low-privilege employees.
Why is focusing only on click rates dangerous?
Focusing solely on click rates is dangerous because it can create a false sense of security and obscure the real risks. A low click rate might simply mean your simulations are too easy, or that employees are deleting suspicious emails instead of reporting them. This focus also ignores the context of who clicked—a single click from a system administrator is a critical vulnerability—and can lead to a culture of fear where employees are afraid to report real-life mistakes.
What are better metrics to measure than phishing click rates?
More effective metrics for measuring your security awareness program include the phishing reporting rate, credential submission rate, and repeat offender rate. The reporting rate shows active employee participation in security defense. The credential submission rate measures how many users entered their login details, which is a direct indicator of account compromise risk. Tracking the repeat offender rate helps you identify and provide targeted training to your most vulnerable users.
How should we treat employees who repeatedly fail phishing tests?
Employees who repeatedly fail phishing tests, often called "serial clickers," should receive targeted, one-on-one coaching rather than punishment. The goal is education and risk reduction, not blame. These individuals may be in high-risk roles (e.g., finance, executive leadership) and require personalized support to understand the specific, sophisticated threats they face. Punitive measures are counterproductive, as they can discourage employees from reporting real security incidents.
What is the difference between a click rate and a credential submission rate?
A click rate measures the percentage of users who clicked a link in a simulated phishing email, indicating they were enticed by the lure. A credential submission rate measures the percentage of users who went a step further and entered their username and password into a fake login page. While a click opens the door to an attack, a credential submission represents a successful compromise of that user's account, making it a far more critical metric for assessing actual risk.
How can our organization start measuring risk instead of just clicks?
You can start measuring risk by implementing a factor-based approach that scores employees based on multiple variables, not just their click behavior. This involves assigning weight to factors like an employee's role and privilege level, their access to sensitive data, their training compliance, and their past simulation performance (including clicks and credential submissions). This creates a holistic risk profile for each person, allowing you to focus security efforts where they are most needed.
