Who this is for: IT and HR managers responsible for security awareness programmes. If you've run phishing simulations and wondered whether they're doing anything useful, this note is for you.

The problem with click rate as a metric

Most phishing simulation programmes measure one thing: the percentage of staff who click a simulated phishing link. This is reported monthly or quarterly, and the programme is considered successful when the click rate goes down.

There are several problems with this. First, click rates are heavily influenced by simulation design — a convincing pretext targeting specific job functions produces a high click rate regardless of the organisation's security awareness level. A generic "your account will be suspended" email produces a low click rate because everyone recognises it. Neither measurement tells you much about your actual susceptibility to targeted phishing.

Second, click rates recover. Studies have consistently found that click rates decline after a simulation, then return to near-baseline within four to six months without follow-up. You're measuring short-term anxiety, not long-term behaviour change.

Third — and this matters more than the first two — click rate doesn't measure what you actually care about. What you care about is whether a phishing attempt leads to credential compromise, malware execution, or financial fraud. A staff member who clicks a link but immediately reports it to the IT team has done the right thing. A staff member who doesn't click but also doesn't know what to do when they're unsure is still a risk.

What the research shows

There's a reasonable body of research on phishing simulation effectiveness, and the picture isn't encouraging for organisations running standard annual simulations. The key findings:

  • Simulations without immediate, specific educational feedback show minimal sustained behaviour change
  • Generic "you clicked, here's a training module" responses are consistently found to create resentment without improving outcomes
  • Repeated simulations targeting the same staff create anxiety and erode trust in IT without necessarily improving their ability to identify real phishing
  • Staff who receive specific, contextual feedback immediately after clicking ("here's what made this email suspicious") show better retention than those directed to generic awareness modules

This doesn't mean simulations are useless. It means the simulation is the measurement tool, not the training. The response to a simulation result — what you do with the data — is what affects behaviour.

What actually changes behaviour

Immediate, specific feedback

When a staff member clicks a simulated link, the most effective intervention is immediate feedback that explains specifically what made that email suspicious: the sender domain, the urgency language, the mismatch between the visible link and the actual URL. Not a generic "you clicked a phishing simulation" page, and not a redirect to a 45-minute e-learning module.

Reporting culture, not click culture

The behaviour you want to reinforce is reporting, not non-clicking. Staff who report suspicious emails are more valuable than staff who avoid clicking but don't act. This means having a reporting mechanism that's easy to use (a button in the email client, not a ticket system), and actively acknowledging reports. If your IT team doesn't respond to phishing reports, staff stop sending them.

Role-specific content

Finance staff are targeted with invoice fraud. HR is targeted with recruitment pretexts. IT administrators face credential harvesting via fake service portals. A generic phishing simulation that uses the same email for everyone is less useful than targeted simulations that reflect what each department actually encounters. This requires more design work, but produces more useful data.

Manager engagement

Security awareness research consistently finds that manager behaviour is the strongest predictor of team behaviour. If senior managers are seen to treat security procedures as obstacles rather than requirements, that signal matters more than any training programme. This is one reason NIS2 Article 20 requires management-level training specifically.

Designing a programme that works

A programme that produces genuine behaviour change looks like this: quarterly simulations with varied pretexts matched to specific departments, immediate specific feedback on click events, an accessible and acknowledged reporting mechanism, and a training component that builds skills rather than just measuring susceptibility. The training should be contextual — not annual compliance modules, but short interventions triggered by events (a click, a reported email, a relevant threat intelligence item).

This is more work than running a simulation and reporting the click rate. But the click rate, on its own, is telling you very little.

If you want to discuss what a realistic programme looks like for your organisation's size and sector, we offer a free initial conversation. We can also run a targeted simulation as a standalone engagement if you want to see what your current susceptibility looks like before committing to a full programme.

New Threat Notes

Get notified when we publish

We publish a few notes per year — no filler, no vendor content. If you'd like to hear about new ones, send a brief email to [email protected] with "Threat Notes" in the subject line and we'll add you to a simple notification list.

Request updates

Arnaud Tessier — Web Application Security & Training, ThreatVigil Labs

Arnaud leads security training engagements at ThreatVigil Labs, including phishing simulation programmes and incident response tabletops.

TrainingJuly 2024

Insider threat training that doesn't make staff feel like suspects

Read note →
ComplianceMarch 2025

How to run a NIS2 gap analysis without hiring a Big Four firm

Read note →