True Risk vs. Measured Risk: The Risky Difference

Assessing the true risk of a phishing attack breach is essential. Understanding the actual likelihood of your employees clicking on something they shouldn’t—or reporting something they should—enables the CISO and the C-suite to make informed business and security decisions. However, the “measured risk” of a phishing attack breach can be misleading. This metric often relies on the pass/fail rates of phishing attack simulations: did employees click on the malicious link or not?

Risk assessed solely by the click rate is an illusion. It can stem from a poorly executed internal campaign or ineffective training content. Sometimes, measured-risk-via-click-rate is a vanity metric designed to make vendors and security teams look good, despite lacking adequate sample size or context. Reporting this type of risk to the board is akin to serving them junk food with empty calories; the initial satisfaction of saying, “Everything’s great!” will quickly fade when something goes wrong, and your team is held accountable for an inadequate risk assessment.

What is the measured risk of a phishing attack breach?

Employee phishing simulation pass/fail rates calculated in isolation. If only 100 employees out of a 1,000-strong workforce are participating in training, the sample size makes their results—positive or negative—inadequate. Moreover, a phishing tool can be designed to show improvement artificially. What does that mean?

It means the content could start hard and get easier, or remain unchanged so test takers can anticipate it and game the system. Additionally, training is often delivered through punishment-by-added-cybersecurity training, which discourages active participation. When the primary metric of an awareness tool is pass/fail rates regardless of circumstances, the tool’s concept is fundamentally flawed.

Replace ineffective metrics and methods with simUphish to gain an accurate understanding of your true phishing risk.