Resilience. There's no better word for the last year. It's also a great descriptor for users who go from passive detractors to active defenders of your organization. Let me explain.
Security awareness resilience: click and reporting rates combine forces
In last year's 2020 State of the Phish, we looked at high-performing customers in terms of two metrics:
• Click/Failure rate: Percentage of users who engage with a simulated phish
• Reporting rate: Percentage of users who use an automated phishing reporting tool to report phishing simulations from their email client
Top-performing simulated phishing campaigns from our 2020 State of the Phish report
What we found was top performing customers consistently had click/failure rates of <5% and reporting rates of >70%. These numbers were very different from the average values we observed:
• Average click/failure rate 11% vs. Top performers <5%
• Average reporting rate: 13% vs. Top performers >70%
One of the takeaways is that the gap between an average vs. top performer's reporting rate is much higher than that of click/failure rate. And we believe it's actually a more important metric to track to gauge security awareness success.
While the click rate tells you if users are avoiding the bad behavior, the reporting rate is a better demonstrator of your users demonstrating the good behavior—getting messages to your incident response team so they can take action (or automate remediation).
Having engaged users reporting suspicious messages is essential for your organization's resilience to advanced phishing attacks, as most phishing attacks require humans to take action in order to be successful.
It's one of the reasons we call the calculation between failure and reporting rates the resilience ratio. For top performers with a reporting rate of 70% and a failure rate of 5%, it means a resilience factor of 14—much higher than the average resilience ratio of 1.2.The average resilience ratio is only 1.2, significantly less than top performers who have a 14.0 resilience factor
Organizations that achieve—and just as important, maintain—this level of resilience reach a state in which their exposure to phishing drops dramatically. We've observed customers with high resilience ratios run persistent, relevant, and impactful security awareness programs for their users year-round to keep their users safe from the equally persistent nature of phishing attacks.
Your journey to resilience
For in-depth comparisons of how your metrics compare to your peers, strategy for running an impactful security awareness program, and a deep-dive into phishing trends have a read of our 2021 State of the Phish report.
Next week we’re taking a deep dive into some of our findings about the time, topics, and consequence models from the report.