Phishing vulnerability assessments and phishing susceptibility rates rarely tell the full story. How can companies calculate their true phishing risk?

Have you ever wondered whether your reduced phishing susceptibility rate really shows your true phishing vulnerability?

Or wondered why it may be low one week but spike the next?

Read on to hear CybSafe’s thoughts on why, if not applied correctly, susceptibility rates are a lazy metric of phishing vulnerability and why many Awareness and Education teams (and Boards) find themselves questioning whether they really add the value they had hoped…..

Phishing vulnerability

Phishing vulnerability often (understandably) attracts much attention however, it can be a misleading comfort metric on its own.

A reduction in phishing vulnerability, while on the surface good (and welcome), might only be temporary. Often as the subject, context, timing, style and tone within a phishing email changes, so too does the susceptibility rate. A little bit of extra thought, effort and lucky timing on the part of the sender could yield significantly different reporting metrics!

The human cyber risk you carry, in relation to awareness, behaviour and culture (ABC), is much more than whether a member of the workforce did or didn’t click on a simulated phishing link. More importantly, an organisation may have a phishing susceptibility rate of 4% one quarter, and then 27% the next, simply because the phishing simulations have been constructed differently (subject, context, timing, style, tone etc.).

It’s very easy to become fixated on phishing vulnerability, and if a programme is not implemented correctly, it can actually have a detrimental effect on a workforce. To really reduce risk in a way that is sustainable, and to avoid false comfort, an organisation needs to intelligently look at other metrics as indicators.

What’s really important to measure?

1. What do people actually know and understand about how to stay safe online? (About phishing and the whole raft of other cyber threats they might face as a result of their role, industry and personal circumstances).

2. How do they really behave when presented with attacks? Phishing, SMiShing, USB Drops etc.

3. What do they think, and how much do they care, about cyber security?

4. And how confident are they?

Combined, these metrics give a much more accurate view on human cyber risk and the ABC health within an organisation than phishing susceptibility rates or other metrics of phishing vulnerability. In addition, they provide a more intelligent view on which to rely, which becomes more obvious when phishing click rates fluctuate. For example, because context, timing, style or tone have changed, or because secure behaviours haven’t sunk in yet, or because people simply just don’t care enough.

Moreover, these metrics will help ensure your phishing susceptibility rate reduces over time, and stays down. And if it doesn’t, they’ll help you identify why.

Addressing phishing is important, but…

Importantly, the answer to the problem isn’t simply more of the same – reducing phishing vulnerability (and in fact human cyber risk as a whole) through better phishing simulations, or more tick-box awareness training. Organisations need to find ways to engage, stimulate, support and really hear from their people when it comes to cyber security and data protection.

This can be done with content and innovative delivery mechanisms that better apply psychology and behaviour change theory, as well as a better understanding of the needs and expectations of today’s modern and growing digital workforce. Likewise, a clever use of innovative, increasingly intelligent technology can help drive positive changes in the areas (and metrics) of interest – meaning in turn, genuine risk reduction.

The cyber risk faced by most organisations is a lot broader than just phishing vulnerability. However, even if this was an organisation’s sole focus (?!), to really be sure that one is reducing the risk posed by employees clicking on phishing links, we need to first understand, and then positively influence, the factors that contribute to why someone might click on that link. What do people know and understand? How do they behave? How much do they care? How confident are they?

Addressing phishing is important. And anything that is important and can be measured, should be measured. However, it is folly to blindly accept a set of metrics if they can be so easily affected by slight changes the next day. This is the Board level equivalent of emperor’s new clothes.

CybSafe’s intelligent software harnesses collective lessons across the cyber security community in a low cost per-user subscription to help businesses of all sizes improve cyber security behaviour and reduce cyber risk both internally and within its supply chain.

The GCHQ-accredited software helps business to mitigate cyber risk with greater certainty, greater impact, and more cost effectively.

CybSafe is a British cyber security technology company. It is headquartered at Level39, the prestigious technology community based in Canary Wharf, London.

By CybSafe

Would you like to hear more about how CybSafe can help you take a more honest view on the human cyber risk you carry? Or what more can be done to permanently reduce phishing susceptibility? Please let us know. The team at Click 26 will be happy to help you.

Is It A Cyber-Attack Or An Act Of War?

Is It A Cyber-Attack Or An Act Of War?

Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'. Snack company client disagrees, sues for $100mUS snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya...

One Pen Test Is Worth A Hundred Vulnerability Scans.

One Pen Test Is Worth A Hundred Vulnerability Scans.

I have a friend who manages a large financial investment company based in NJ and each year, sometimes twice a year, he brings in a team of pen testers to run a test and check the box for security regulations. When I told him that my company automated pen testing (PT)...

How To Identify A Phishing Email – 5 Simple Steps

How To Identify A Phishing Email – 5 Simple Steps

You’ve received an email. As no phishing filter can keep out 100% of all phishing attacks, there’s a chance the email could be malicious – no matter what it looks like. How do you check whether or not the email is a phishing attack? Step 1: Is the email expected? When...

Click 26

Registered office:

Wellesley House
204 London Road
Company Registration: 07108413

VAT Number: GB183595274



© 2018 Click 26 Ltd.


+44 (0)3300 417126


Office address:

The Gatehouse
Marsh Farm