Phishing Simulation Failure Rate

Definition

Phishing Simulation Failure Rate measures the percentage of employees who fall for simulated phishing attempts by clicking on malicious links, entering credentials on fake login pages, or downloading potentially malicious attachments during controlled tests.

Significance

Phishing remains one of the most common initial attack vectors, with over 90% of breaches involving a phishing component. A lower failure rate indicates a workforce better equipped to identify and properly respond to phishing attempts.

This KPI helps assess the effectiveness of security awareness training programs, identify departments or individuals that may need additional training, and track improvement in human security defenses over time.

Calculation Method

Calculation components include:

• Number of employees who interacted with phishing content (clicks, data entry, downloads)
• Total number of employees who received the test
• Formula: (Number who failed / Total recipients) × 100%

Note: Phishing tests should vary in sophistication to simulate both basic and advanced attacks. Results should be tracked by department and type of phishing scenario.

Current Performance

Benchmark

Industry average: 17.6% failure rate

Best practice target: <5% failure rate for general phishing; <10% for sophisticated spear phishing

Related KPIs