Phishing simulation programmes have become near-universal in organisations of meaningful size. Most organisations send simulated phishing emails periodically, measure click rates, deliver remedial training to users who click, and report metrics to leadership. The programme is broadly deployed and unevenly designed. Programmes that genuinely reduce phishing risk operationally look meaningfully different from programmes that produce click-rate metrics, and the difference is design and operating discipline rather than tooling.
Why Click Rate Alone Is Insufficient
Click rate measures one behaviour — did the user click the simulated phishing link. The behaviour that matters operationally is broader: do users recognise phishing when they encounter it, do they report it through the reporting channel, do they avoid actions that would have given the attacker what they wanted (entering credentials, downloading attachments, executing actions). Click rate is one signal among several, and programmes that optimise for click rate alone often produce gaming (users learning to recognise the simulator's patterns) rather than genuine phishing resilience.
Reporting Rate as the More Useful Metric
When a user receives a suspected phishing email, the operationally valuable behaviour is reporting it through the security reporting channel. Reporting rate measures how often users do this. Strong programmes track reporting rate alongside click rate, treat increases in reporting as positive outcomes even when click rate also fluctuates, and provide visible acknowledgment to users who report. Programmes that only track click rate inadvertently signal that not-clicking is what matters, missing the reporting behaviour that gives security teams early warning of active campaigns.
Calibrating Difficulty
A simulation that everyone clicks teaches nothing; a simulation no one clicks also teaches nothing. The useful difficulty range is calibrated to the user population — challenging enough that some users fall for it, easy enough that the failure mode is recognisable in subsequent training. Strong programmes vary difficulty deliberately across cycles, increase difficulty as the population matures, and use highly targeted simulations sparingly (against high-value roles, with sophisticated spear-phishing techniques) alongside the broader programme.
A pattern in mature phishing programmes: the same users keep clicking despite repeated training. The pattern usually does not indicate user failure; it indicates that the training is not addressing what those users actually need. Some users need different training formats, some need workflow adjustments that reduce phishing exposure, some are in roles whose job pressure makes them disproportionately susceptible. Treating repeated clickers as individual failures misses the systemic factors that produce the pattern.
Remedial Training That Actually Teaches
The training delivered to users who click should teach something specific — what about this email should have triggered suspicion, what specific clues were present, what actions would have been correct. Generic training delivered to all clickers regardless of the simulation does not teach the specific recognition the user needed. Strong programmes match remedial training to the simulation type and focus on the specific cues the user missed. Repeated generic training produces compliance theatre; specific feedback produces recognition skill.
Technical Controls That Reduce the Human Burden
Phishing programmes that rely entirely on user behaviour are working harder than necessary. Technical controls — email authentication (DMARC, DKIM, SPF) properly enforced, attachment sandboxing, URL rewriting and inspection, suspicious-link warnings — reduce the proportion of phishing that reaches users in clickable form. The strongest programmes combine technical controls with human training; programmes that emphasise only one or the other leave gaps the combined approach would close.
Components of a Programme That Reduces Risk
- Click rate, reporting rate, and false positive rate tracked together over time
- Difficulty calibrated to the population, varied deliberately across cycles
- Remedial training matched to the specific simulation type and missed cues
- Recognition for users who report — the behaviour you want reinforced
- Targeted simulations against high-value roles using sophisticated techniques
- Technical controls reducing the volume of real phishing that reaches users
- Treatment of repeated clickers as a systemic indicator, not just an individual failure
Why the Design Matters
A phishing simulation programme that runs without thoughtful design satisfies the compliance expectation and rarely reduces phishing risk meaningfully. A programme designed for genuine risk reduction produces measurable improvement in reporting rates, sustained reduction in click rates over time, and faster detection of real phishing campaigns through the user reporting channel. The investment is in the design and operating discipline; the same simulation tooling produces dramatically different outcomes depending on how the programme around it is run.