Phishing vulnerability assessments and phishing susceptibility rates rarely tell the full story. How can companies calculate their true phishing risk?

Have you ever wondered whether your reduced phishing susceptibility rate really shows your true phishing vulnerability?

Or wondered why it may be low one week but spike the next?

Read on to hear CybSafe’s thoughts on why, if not applied correctly, susceptibility rates are a lazy metric of phishing vulnerability and why many Awareness and Education teams (and Boards) find themselves questioning whether they really add the value they had hoped…..

Phishing vulnerability

Phishing vulnerability often (understandably) attracts much attention however, it can be a misleading comfort metric on its own.

A reduction in phishing vulnerability, while on the surface good (and welcome), might only be temporary. Often as the subject, context, timing, style and tone within a phishing email changes, so too does the susceptibility rate. A little bit of extra thought, effort and lucky timing on the part of the sender could yield significantly different reporting metrics!

The human cyber risk you carry, in relation to awareness, behaviour and culture (ABC), is much more than whether a member of the workforce did or didn’t click on a simulated phishing link. More importantly, an organisation may have a phishing susceptibility rate of 4% one quarter, and then 27% the next, simply because the phishing simulations have been constructed differently (subject, context, timing, style, tone etc.).

It’s very easy to become fixated on phishing vulnerability, and if a programme is not implemented correctly, it can actually have a detrimental effect on a workforce. To really reduce risk in a way that is sustainable, and to avoid false comfort, an organisation needs to intelligently look at other metrics as indicators.

What’s really important to measure?

1. What do people actually know and understand about how to stay safe online? (About phishing and the whole raft of other cyber threats they might face as a result of their role, industry and personal circumstances).

2. How do they really behave when presented with attacks? Phishing, SMiShing, USB Drops etc.

3. What do they think, and how much do they care, about cyber security?

4. And how confident are they?

Combined, these metrics give a much more accurate view on human cyber risk and the ABC health within an organisation than phishing susceptibility rates or other metrics of phishing vulnerability. In addition, they provide a more intelligent view on which to rely, which becomes more obvious when phishing click rates fluctuate. For example, because context, timing, style or tone have changed, or because secure behaviours haven’t sunk in yet, or because people simply just don’t care enough.

Moreover, these metrics will help ensure your phishing susceptibility rate reduces over time, and stays down. And if it doesn’t, they’ll help you identify why.

Addressing phishing is important, but…

Importantly, the answer to the problem isn’t simply more of the same – reducing phishing vulnerability (and in fact human cyber risk as a whole) through better phishing simulations, or more tick-box awareness training. Organisations need to find ways to engage, stimulate, support and really hear from their people when it comes to cyber security and data protection.

This can be done with content and innovative delivery mechanisms that better apply psychology and behaviour change theory, as well as a better understanding of the needs and expectations of today’s modern and growing digital workforce. Likewise, a clever use of innovative, increasingly intelligent technology can help drive positive changes in the areas (and metrics) of interest – meaning in turn, genuine risk reduction.

The cyber risk faced by most organisations is a lot broader than just phishing vulnerability. However, even if this was an organisation’s sole focus (?!), to really be sure that one is reducing the risk posed by employees clicking on phishing links, we need to first understand, and then positively influence, the factors that contribute to why someone might click on that link. What do people know and understand? How do they behave? How much do they care? How confident are they?

Addressing phishing is important. And anything that is important and can be measured, should be measured. However, it is folly to blindly accept a set of metrics if they can be so easily affected by slight changes the next day. This is the Board level equivalent of emperor’s new clothes.

CybSafe’s intelligent software harnesses collective lessons across the cyber security community in a low cost per-user subscription to help businesses of all sizes improve cyber security behaviour and reduce cyber risk both internally and within its supply chain.

The GCHQ-accredited software helps business to mitigate cyber risk with greater certainty, greater impact, and more cost effectively.

CybSafe is a British cyber security technology company. It is headquartered at Level39, the prestigious technology community based in Canary Wharf, London.

By CybSafe

Would you like to hear more about how CybSafe can help you take a more honest view on the human cyber risk you carry? Or what more can be done to permanently reduce phishing susceptibility? Please let us know. The team at Click 26 will be happy to help you.

Do You Know Where Your Sensitive Data Lives?

Do You Know Where Your Sensitive Data Lives?

One of the biggest challenges organizations face today in trying to secure their IT environments is a lack of data awareness. Despite all the recent high-profile hacker attacks against well-known enterprises, many companies simply don’t know where much of their...

5 Things Everyone Gets Wrong About Anti-Virus

5 Things Everyone Gets Wrong About Anti-Virus

It shouldn’t be news to anyone that cyber threats are on the increase and the requirement to have an effective security solution has never been more pressing as advanced hacking techniques continue to proliferate in the wild. With the market awash with vendors making...

What is Ransomware? The Ransom-Based Malware Demystified

What is Ransomware? The Ransom-Based Malware Demystified

In many information security publications, ransomware is mentioned with the same kind of horrified reverence as terrors such as climate change, Ebola, or the Death Star – a terrifying enigma with devastating implications. However, often the ransomware that’s coming...

Click 26

Registered office:

Wellesley House
204 London Road
Company Registration: 07108413

VAT Number: GB183595274



© 2018 Click 26 Ltd.


+44 (0)3300 417126


Office address:

The Gatehouse
Marsh Farm