TL;DR: A phishing simulation provides more than a click rate. The five metrics that matter are click rate, report rate, open rate, data entry and time to click. The average click rate without training is 33.1%. After 12 months of targeted awareness training, that drops to 4.1%, an 86% reduction. The reporting rate is equally important: the more employees actively report suspicious emails, the faster your organization will respond to real attacks.
Your IT team just received the results of a phishing simulation. The report is full of percentages, graphs and tables. But what do those numbers really tell you about your organization’s resilience? When is a 12% click rate a success and when an alarm signal? This article will help you understand the five key metrics, compare your results to international benchmarks, and turn the numbers into concrete improvement actions.
The five metrics that matter in your phishing simulation report
A phishing simulation report reduces your organization’s resilience to measurable numbers. But not every number weighs equally. Together, these five metrics form the complete picture of your human defenses.
The click rate (Phish-Prone Percentage) is the best-known metric: the percentage of employees who click on the link in the simulation email. It gives a direct indication of how susceptible your organization is to social manipulation. KnowBe4 calls this the Phish-Prone Percentage (PPP) and uses it as the primary measure of human risk.
In practice, the reporting rate is at least as valuable as the click rate. This metric measures how many employees recognize the suspicious e-mail and actively report it via a report button or by notifying the IT department. A high report rate means that your employees are not just passively “not clicking,” but actively contributing to the defense. One quick report can prevent dozens of colleagues from falling into the same trap. Therefore, in modern security awareness programs, the notification rate outweighs the click rate alone.
The open rate shows how many employees actually opened the simulation email. A high open rate combined with a low click rate is actually good news: your employees are alert enough to open the mail, but critical enough to recognize the suspicious elements. A low open rate may indicate that your spam filters are already intercepting the simulation, distorting the measurement.
Data entry goes one step beyond clicks. This metric records how many employees actually enter login credentials or other sensitive information on the simulation page after clicking. This is the stage where a simulation turns into a simulated data breach. Credential phishing will remain the primary method of account takeovers in 2025. High data entry indicates a lack of alertness the moment someone lands on an external Web site.
Time to click quantifies how quickly employees respond. The faster the click after receipt, the more impulsive the behavior and the less room there was for critical thinking. AI-driven phishing deliberately uses urgency and time pressure to shorten that reflex time.
Benchmarks: how does your company score compared to the market?
Your click rate by itself says little without context. The question is: How does your score compare to similar organizations? The KnowBe4 Phishing Industry Benchmarking Report 2025, based on 14.5 million users at 62,400 organizations worldwide, provides the most up-to-date benchmark figures.
Improvement over time is the most important benchmark. An organization that starts with a 28% click rate and sits at 9% after six months is performing extremely well. An organization that has been simulating for two years and is still at 15% has a problem, even if that rate falls below the industry average.
| Phase of the program | Average click rate | Reduction |
|---|---|---|
| Baseline (before training) | 33,1% | 0% |
| After 90 days of training | 19,9% | around 40% |
| After 12 months of training | 4,1% | 86% |
Source: KnowBe4 Phishing Industry Benchmarking Report 2025
Sector differences are significant. Healthcare and pharmaceutical companies show the highest initial vulnerability with a baseline of 41.9%, followed by insurance (39.2%) and retail and wholesale (36.5%). Technology companies score lowest at 28.5%, which is explained by the higher maturity of their existing security programs.
For Flemish SMEs in manufacturing, services or construction, the starting values are usually around 30 to 35%. That means that without training, about one in three employees will click on a phishing email.
Company size also plays a role. Small organizations (1 to 249 employees) show a baseline of 24.6%, while large organizations with more than 10,000 employees reach 40.5%. The explanation: in larger companies, it is more difficult to reach every employee personally, and the diversity of roles increases the attack surface.
From numbers to action: how do you improve phishing simulation results?
The interpretation of your simulation results should lead to a concrete improvement plan. The data tells you where the weak spots are; it’s up to you to act on them in a targeted way.
Start with a baseline measurement. Without a reliable baseline, you cannot measure progress or demonstrate ROI to management. By definition, the first simulation is a measurement moment, not an exam. Communicate the same to your employees.
Analyze by department. The company-wide click rate often hides significant internal differences. Finance departments and HR tend to score higher because their daily work involves a lot of external e-mail communication and attachments. Receptionists are especially sensitive to urgent requests due to their “service reflex.” Identify the departments with the highest risk and offer them targeted awareness training.
Link each simulation to direct learning content. An employee who clicks should immediately see a “teachable moment” page with the signals he or she missed. Measurement without training is meaningless. Organizations that combine every simulation with immediate teachable moments achieve the fastest improvement.
Increase the difficulty gradually. If your click rate stops dropping, the simulation may have become too recognizable. Increase complexity by using company-specific scenarios, adding vishing or integrating deepfake elements.
Reward reporting, don’t punish clicks. A punitive culture is the biggest risk to your program. Employees who fear sanctions after a click will also stop reporting truly suspicious emails out of fear. Positive reinforcement, such as by publicly acknowledging reporters or through gamification, reinforces exactly the behavior you want to see: active vigilance.
Keep the frequency fixed at monthly. Monthly simulations are considered the optimal balance between alertness and simulation fatigue. Too few simulations let alertness wane; too many simulations lead to frustration. The data is clear: organizations that simulate continuously and monthly achieve the full 86% reduction over 12 months.
How do you report phishing results to management?
Management doesn’t want technical details. They want to know: are we at risk, are we getting better, and is the investment worth it? Translate your simulation results into business impact with these four elements.
Trend line over time. A graph showing the decrease in click rate and increase in report rate over the past few months. This line is your strongest argument: it shows measurable improvement.
Industry comparison. Place your score next to industry averages from the KnowBe4 report. A sentence like “our click rate of 5.2% places us well below the industry average of 33.1% for organizations without training” provides context that executives understand.
Reduced risk in euros. The Verizon Data Breach Investigations Report 2025 shows that 60% of all data breaches have a human element. By reducing your click rate from 33% to less than 5%, you significantly reduce the risk of a successful data breach. Couple this with the average cost of a data breach for an SME (think tens of thousands of dollars in downtime, remediation and reputational damage) and you have a compelling ROI story.
NIS2 compliance status. State explicitly whether your organization meets the NIS2 training requirement with current simulation and training results. This is no longer an afterthought, but a legal requirement.
A nuance about privacy. Always report at the organizational and departmental level, not at the individual level. In Belgium, CLA No. 81 guides electronic surveillance in the workplace. Individual click data may not be shared publicly or used for sanctions. Transparency in advance, through the work rules or an ICT policy, is essential. Make sure employees know that simulations are being conducted and that the goal is training, not control.
Phishing simulations and NIS2: measurable evidence of compliance
The Belgian NIS2 law, in effect since Oct. 18, 2024, has transformed phishing simulations from a best practice to a legal obligation for essential and important entities.
Section 21(2)(g) of the Act explicitly requires “cyber hygiene practices and cybersecurity training.” Phishing simulations here serve as double proof: they demonstrate that the organization is actively investing in employee resilience AND they measure the effectiveness of that investment, as required by Article 21(2)(f).
The CCB’s CyberFundamentals framework translates this requirement into concrete guidelines by maturity level. Even at the baseline level, awareness training is a core requirement. For an NIS2 audit, your organization must be able to provide evidence: training participation lists, simulation results with trend lines, and subsequent action plans.
Directors bear personal responsibility in this regard. Directors must not only approve the implementation of these measures, but also monitor their follow-up. The phishing simulation results are thus not only an operational report for IT, but a compliance tool for the board.
Good news for the budget: awareness training and phishing simulations are subsidizable through the VLAIO cybersecurity improvement programs, with up to 50% subsidy on a supervised course.
Frequently asked questions about phishing simulation results
What is a good click rate in a phishing simulation?
A click rate below 5% is considered excellent internationally. Without any training, the average is 33.1%. After twelve months of consistent training and simulation, organizations reach an average of 4.1%. For an SME just starting out with simulations, any percentage below 20% after the first three months is a positive sign.
How often should you run a phishing simulation?
Monthly simulations are the optimal frequency. Less than four simulations per year is insufficient to achieve lasting behavior change. More than twice a month can lead to simulation fatigue and cynicism among employees.
May individual click results be shared with management?
In Belgium, CLA No. 81 requires transparency about electronic surveillance. Individual results should generally not be shared publicly or used for sanctions. Report at the organizational or departmental level. Inform employees in advance via work rules that simulations are part of the awareness program.
What do you do if the click rate does not drop after multiple simulations?
Check three possible causes. Have the simulations become too simple or too recognizable? Are your security filters catching the simulation emails, causing employees to mistakenly consider them safe? Is there insufficient management support, causing employees not to take the training seriously? Adjust the approach based on this diagnosis.
Do phishing simulation results count as proof of NIS2 compliance?
Yes. The Belgian NIS2 law requires organizations to measure the effectiveness of their security measures. Simulation results with trend lines, combined with training records, provide direct evidence for the mandatory conformity assessment.
What is the difference between click rate and report rate?
The click rate measures how many employees click on the link in the phishing email: a negative indicator of vulnerability. The reporting rate measures how many employees are actively reporting the suspicious email: a positive indicator of vigilance. Both metrics are complementary; a mature program steers for a decreasing click rate as well as an increasing reporting rate.
Want to know where your organization stands?
Cyberplan conducts phishing simulations as a baseline for Flemish companies. You receive a clear report with your click rate, reporting rate and data entry, compared to current industry averages. Together, we translate the results into a concrete improvement plan that fits your company and budget.
Schedule a free consultation or find out how our phishing simulation works.
