Working with hundreds of organizations around the world, one of the most common phishing questions I'm often asked is "What should our click rate be for our phishing assessments"? Or, "We got a 17% click rate on our phishing simulation, is that a good or bad number?" Well, it all depends.
First, it really depends on your organization and your tolerance for risk. What a government or defense organization considers a 'good' click rate can be very different than other industries such as educational. A real rough starting point for me is anything under 5% is good, but your mileage will vary.
Second, the key number is not your click rate in a single point in time but how is the percentage of clicks dropping over time. You need to repeat your simulations regularly, and should see that number drop. Typically I see organizations get a click rate of 25-30% the first time they do a phishing simulation, with that number dropping to less than 5% over 9-18 months. Keep in mind this number can vary greatly depending on how targeted your phishing template is. These numbers are based on what I consider Tier 01 phishing emails, generic / opportunistic phishing emails. Obviously those numbers increase as does the targeting of the phishing simulations.
However what I really want to hit home is that achieving a 0% click rate is not only unrealistic, but a potentially harmful goal. No matter how much we train people, someone will click. It is not that people are bad, it's just that mistakes happen. This does not mean security awareness is a failure, it just means it's like every other control including anti-virus, encryption or firewall. Awareness is a control that reduces risk, you cannot eliminate it. In addition, unlike many technical controls, trained people, when they fall victim, can quickly realize that something bad happened and report it. However, even more important is you WANT people to click at least once on your phishing simulations. Simulations are not only a strong metric but a powerful learning opportunity. When people click and get that pop-up message they fell for a simulation, it is a very emotional event, one they are likely never to forget. As a result, they are far more likely to never fall victim again. Far better for your workforce to learn during your simulation then a real attack.
In fact, I find that organizations with a highly mature phishing program can get their click rate to around 1-2%. That 2% of the population clicking are not bad people or risky people, the vast majority are new hires. Falling for the phishing simulation is part of their new hire process, it is a right of passage. You NEVER want to punish these first-time clickers as it was training. Ultimately, when it comes to click rates be more concerned about your REPEAT clickers. If you ever do achieve 0% click rate, do not feel you have achieved victory. At best, you organization is well defended against the most simple of common phishing attacks. At worst, you are lulling yourself into a sense of complacency and many of your newly hired workforce are missing out on a great learning opportunity. Like anything else risk related, ultimately how do the numbers support your organization's mission?