According to the 2019 Verizon Data Breach Investigations Report (DBIR), the click rate in phishing simulations is around 3%. Importantly, the DBIR analyzes data across the entire cybersecurity landscape and produces aggregated metrics. Aggregated analysis can provide unique insight into the overall trends of an industry. However, metrics at such a large scale may not be telling the whole story. This phishing simulation metric should not provide a prescriptive analysis of an individual organization’s security readiness. If anything, this metric should act as a benchmark, with which you can grade the health of your unique organization. Each organization has a unique phishing click rate and training programs should be tailored accordingly.
Looking at the world of baseball can help paint a clearer picture. Imagine that you are the manager of a baseball team tasked with determining the current skillset of your team as well as developing a practice plan. Would you look at the overall batting average of the entire league to determine your current skill set and your practice plan? of course not. It is likely that you would begin by examining historical data on your specific team and using the league average as a benchmark to determine relative success. The key concept here is the historical data available to determine posture and practice plans. It is helpful to view phishing as your organization’s batting average. You must produce data in order to have a measure of your organization’s “phishing skill”. Conducting regular phishing simulations provide an accurate picture of your organization’s click rate and you can adjust your training plans accordingly.
Interestingly, the DBIR also concludes that phishing is the top threat action that results in data breaches. If you don’t know your organization’s click rate, then you don’t know your exposure. Like any good baseball manager, figure out the click rate, train accordingly, and utilize the DBIR data as a benchmark.
About the Author: Bradley Mumme is a Security Consultant with Zyston, with a specialty in performing security risk assessments and awareness and training exercises.