What should be your top priority for your campaign?
Engagement.
You can try to base your results on the number of successes and failures, but those numbers don’t necessarily help you with your purpose.
If you run a phishing test simulation and nobody clicks on the link, does that mean that your test was successful?
The short answer is “no”.
Having a 100% success rate doesn’t translate as a success.
It can mean that your phishing test was simply too easy to spot.
On the other hand, if you get a tremendous failure rate with your phishing test, it could mean something completely different.
It could mean that your employees aren’t able to spot phishing attacks yet.
When you get a high rate of clicks for your campaign, there is a good chance that you need to lower the difficulty of your phishing emails.
Take more time to train people at their current level.
You ultimately want to decrease the rate of phishing link clicks.
You may be wondering what a good or bad click rate is with a phishing simulation.
According to sans.org, your first phishing simulation may yield an average click rate of 25-30%.
That seems like a really high number.
Luckily, they reported that after 9-18 months of phishing training, the click rate for a phishing test was below 5%.
These numbers can help as a rough estimate of your desired results from phishing training.