Most security-awareness platforms report a single headline number to the board: phishing click-rate. Lower is better, and a "good" programme is one where clicks fall from quarter to quarter. This is the consensus measurement framework, and it is wrong.
Click-rate is downward pressure on a single behaviour with diminishing returns. Programmes that optimise for click-rate teach the workforce to be cautious about one specific pattern — the simulated phishing email — without necessarily building the underlying judgement that generalises to threats the simulation library has not yet shown them.
Worse, click-rate is gameable. A programme run for too long with too narrow a simulation library will produce excellent click-rate numbers from a workforce that has memorised the lures rather than developed any meaningful awareness. We have seen this pattern in our diagnostic work consistently: organisations with reportedly excellent click-rate metrics that fall apart at the first novel campaign.
Reporting rate — the proportion of recipients who flagged the simulation through the official channel — is significantly harder to game, harder to teach to a test, and much more predictive of how the organisation handles a real campaign. A team that clicks 8% but reports 60% is meaningfully more resilient than a team that clicks 2% and reports 5%.
Why is reporting harder to game? Two reasons. First, reporting is an active behaviour that requires confidence and habit — neither can be acquired in a single training module. Second, reporting rate generalises more cleanly across lure families: an employee who reports a familiar simulation will also tend to report a novel one, where an employee who avoids clicking a familiar pattern may still click an unfamiliar one.
In our quarterly reports we now lead with reporting rate, with click-rate as a secondary diagnostic. Most clients see the order of importance click into place after a single campaign. The strongest signal in the entire reporting framework is the trend in reporting rate over time, segmented by role.
There is a corollary point that follows from this measurement framework: the reporting workflow itself is the most important single piece of infrastructure in an awareness programme. If reporting a suspicious email is a three-click ordeal that ends in a support ticket that never gets acknowledged, the reporting rate will be structurally suppressed regardless of awareness training quality.
The single most impactful intervention we make at the start of new engagements is often not the simulation campaign — it is auditing the reporting workflow and removing friction. Default to one-click reporting through a familiar interface (an Outlook button, a Slack action), default to fast acknowledgement, and the reporting rate will rise before any new training content lands.
If you take only one thing from this note: stop reporting click-rate as the headline number to your executives, and start reporting reporting-rate. The metric you choose drives the behaviours of the programme that produces it.