What are metrics for awareness success?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Click rates alone won't tell you whether your phishing awareness program is actually working. They're a start, but measuring only who clicked a fake phishing email is a bit like judging a fire drill by whether anyone tripped on the way out. You need a fuller picture.
Here are the metrics that actually matter, and how to talk about them with people who don't live in security tools all day.
Click rate on simulated phishing
This is the percentage of employees who click a link in a simulated phishing email. You want this number to go down over time. A common target is below 5%, though what counts as "good" depends on your industry, your starting baseline, and how realistic your simulations are. The trend matters more than any single number. If you started at 28% and you're now at 9%, that's a meaningful story even if you haven't hit a target yet.
When explaining this to non-security leaders, try framing it this way: "Last year, nearly one in four employees would have handed attackers the keys. Now it's fewer than one in ten. Here's what we did to get there."
Reporting rate
And this is arguably more important than click rate. Reporting rate measures how often employees actually flag suspicious emails (both real and simulated) using something like a report phishing button. A high reporting rate means your team isn't just avoiding bad emails, they're actively helping protect the organization. That's a security culture, not just compliance training.
For executives, this translates cleanly: "We want employees to be part of the detection system, not just avoid being the weak link."
Time to report
How quickly does someone flag a suspicious email after it arrives? Faster detection means a shorter window for an attacker to do damage if a real phishing email does get through. A maturing program shows shrinking detection times. You can benchmark this against industry averages if your simulation vendor provides them.
Repeat clickers
Are the same employees clicking every time? That's a training effectiveness problem, not just a numbers problem. Tracking repeat behavior helps you identify who needs additional coaching rather than just running the same training for everyone and hoping for the best.
How to frame all of this for leadership
Non-security leaders usually respond better to risk language than to technical metrics. Instead of "our click rate dropped 18 percentage points," try "we cut the number of employees likely to hand over credentials by nearly a third this year." Tie it to a real incident if you can ("an attack like the one that hit [industry peer] last year would have found far fewer entry points in our org today"). That kind of framing makes the numbers land.
If you're building out a reporting dashboard or need help thinking through what to track, our SOS hotline is free and we're happy to think through it with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.