Security Awareness: The Click Rate Measures the Wrong Thing

7 min read

Most security-awareness programmes chase a number that barely budges. According to Verizon, the median click rate in phishing simulations hovers around 1.5 percent and drops little even after endless training. If you measure your programme against that metric, you’re optimising a value that’s already at rock bottom-and missing the lever that truly matters: how quickly and how often employees report an attack.

Related:Passkeys in mid-sized firms: the end of the password  /  OAuth token theft: how attackers bypass MFA

What is security-awareness training? Security-awareness training is the systematic education of employees so they can spot attacks like phishing, respond correctly, and report them. It combines learning content, simulated attacks for measurement, and recurring refreshers. The goal is a workforce that acts as an early-warning sensor for threats.

The click rate hits a hard floor

The logic behind most programmes is straightforward: train, simulate, measure the click rate, and expect it to fall. For a while it works. Then you reach the point where every additional training round only nudges the figure by a few decimal places. Verizon’s median across many organisations sits at about 1.5 percent. That marks a behavioural floor that training alone cannot breach.

This floor has physical causes. People work under time pressure, juggling multiple tasks with half their attention. A well-crafted lure on a Thursday afternoon will still hook even trained staff. Driving the click rate to zero collides with human bandwidth. Dollars poured into the last few tenths of a percent yield little measurable risk reduction.

Reporting reveals more about a program than clicking

The real value lies on the other side. The same Verizon data shows that employees with training in the past 30 days report simulated phishing nearly four times more often than untrained staff-21 percent versus 5 percent. This reporting rate is operationally valuable because it directly impacts response time. A reported attack at 9:05 AM can be contained before 9:40 AM, when colleagues first receive the same lure.

For the security team, this flips the control logic. Instead of penalizing staff for a click, it pays to make reporting as effortless as possible: a button in the mail client, confirmation that the report was received, no reprimand for false alarms. A workforce that reports becomes a distributed sensor network. Where only click statistics count, people stay silent by default-and the early warning indicator is lost.

Eight percent carry the bulk of the risk

The same survey delivers a second uncomfortable finding: roughly 8 percent of employees account for a disproportionately large share of repeated incidents. That reframes the economics of training. Mandating the same annual course for every staff member spends most of the budget on those already cautious and too little on the small group driving the incidents.

In practice, this means using simulation data for segmentation, not just headline rates. Repeatedly flagged accounts receive shorter intervals, targeted drills, and stricter technical guardrails where needed. That is sober risk management. Sixty percent of all breaches, Verizon reports, involve a human factor; phishing is tied to about 16 percent of intrusions. These numbers are tackled more precisely with a risk cohort than with blanket awareness training.

Technology removes the user’s decision

The most effective answer to phishing shifts the problem away from human judgment. Phishing-resistant authentication under the FIDO2 standard-commonly known in practice as Passkeys-binds login cryptographically to the genuine domain. A spoofed login dialog simply cannot harvest usable data because there is no password to type and pass on.

This does not solve every case. Attackers pivot to token theft and OAuth consent fraud once passwords are off the table. Yet every login converted to Passkeys nullifies classic credential theft. Users can still click the same lure as before, but the action can no longer yield valid access. Awareness and technology are two levers on the same problem, with the technical lever acting faster.

The DACH factor: simulation meets co-determination

In Germany, every phishing simulation must pass the works council. Simulated attacks produce personal performance data whose evaluation is subject to co-determination. Collecting and analyzing click rates for individual employees without an agreement risks trust-and ultimately a formal program block.

The clean solution is a works-agreement that sets purpose, aggregation level, and consequences: evaluation in groups rather than by name, no employment consequences from a single click, clear deletion deadlines. That is precisely what makes a program sustainable. A program that treats the workforce as the adversary loses exactly the reporting willingness that delivers the real value.

What Security Teams Should Adjust in the Next 90 Days

Three steps can transform impact without increasing the budget. First, switch the leading KPI: prioritize reporting rate and time to first report, demote click rate to a secondary metric. Second, segment simulation data and target the conspicuous minority directly instead of treating everyone equally. Third, prioritize migrating critical logins to passkeys, starting with administrators and external access. At the same time, a works agreement must be in place before any personal data evaluation begins. The click rate won’t disappear, but it will finally land in the right spot: a footnote in the reporting.

Frequently Asked Questions

Why does the phishing click rate barely drop below a certain level despite training?

Because a residual share remains due to distraction, time pressure, and highly convincing lures. Verizon reports a median of about 1.5 percent across many organizations. This floor is a human behavior constant, not a training failure. Budget chasing the last few tenths of a percent yields little additional risk reduction.

Which KPI is better than the click rate?

The reporting rate and the time to first report. Employees with recent training report simulated phishing roughly four times more often. A high reporting rate shortens the security team’s response time directly, because an attack becomes visible early before it spreads across the organization.

Should every employee receive the same training?

Rarely makes sense. According to Verizon analyses, around 8 percent of employees account for a disproportionately large share of repeated incidents. A blanket annual training spreads the budget evenly across a highly uneven risk landscape. More effective is segmentation: shorter intervals and targeted drills for the conspicuous minority.

Does phishing-resistant technology make awareness obsolete?

No. FIDO2 passkeys invalidate stolen credentials because login is cryptographically bound to the genuine domain. Attackers pivot to token theft and consent fraud instead. Technology and training are two levers on the same problem; the technical lever acts faster, the human lever catches the residual cases.

What legal considerations apply to phishing simulations?

In Germany, simulated attacks require co-determination because they generate personal performance data. Before any personal evaluation takes place, a works agreement must be in place that defines the purpose, level of aggregation, consequences, and deletion periods. Evaluating data in groups rather than by individual names is the safer approach.

Editor’s Reading Picks

• Passkeys in SMEs: The End of Passwords
• OAuth Token Theft: How Attackers Bypass MFA
• Adaptive MFA as a Zero-Trust Lever in SMEs

More from the MBF Media Network

Cover image: AI-generated (June 2026)

Image source: AI-generated (June 2026), C2PA certificate embedded in image

About the author: Alec Chizhik

More articles by Alec Chizhik