Behavioral Cybersecurity Statistics

Which industries and job roles are most at risk for phishing? To find out, we analyzed 24,7 million phishing simulations across 100+ countries.

Key Takeaways

How you're measuring risk reduction matters

• Fail rate alone is a misleading metric. Without simulated + real threat reporting metrics, phishing simulation fail rate is empty
• Success rate rules. The frequency with which people report phishing simulations is the best
• Miss rate matters. The number of phishing simulations that employees miss strongly predicts how likely they are to report or fall real phishing attacks
• Measuring true risk of a security awareness program is a combination of Success + Failure + Miss + Real threat reporting rates

Who you are predicts how you’ll behave

Training programs must be able to personalize content to fit each individual's strengths and weaknesses. Cybersecurity performance varies significantly depending on:

• Geography
• Job role
• Industry

Unlock the full report to see average phishing performance by geography, job role, and industry.

Good security training works

When trained correctly over time, employees improve cybersecurity skills and report more real phishing threats. With Hoxhunt phishing training:

• Organizational phishing simulation fail rates dropped from 14% to 4% globally
• Success rates – with Success measured as the reporting of a simulated phishing attack- – jumped from near-zero to between 52% - 74% of simulations based on industry
• Real threat reporting rate improved by nearly 70% from training baseline
• Real threat reporting accuracy continuously improved from near-zero to 60%
• Engagement rate soared to 88.75% of employees onboarded to the Hoxhunt training

‍