Measuring success of Social Engineering

How do you accurately measure the success of your security awareness phishing exercises?

The best way to ensure that you accurately measure the success of your security awareness simulated phishing exercises is to not to count the click rate as raw data, but to accurately analyse the susceptibility likelihood and reporting response rate incorporating the persuasiveness index.

Have you ever looked at the email phishing programs on the market and thought that they just seem to identify the click rate? Knowing that the click rate alone is not enough, is the first step to getting that clarity.

When it comes to helping your organisation avoid phishing attacks, you need science rather than intuition to guide your efforts. Now is the time to abandon your click rate fixation and begin to understand if your phishing awareness efforts are really working or not.

What metrics should you be using in combination to create one complete and accurate picture of whether your training program is meeting its goals or not? How can you determine if your employees are really becoming ever-more successful in avoiding phishing attempts with each iteration?

The changes in click-through rates are different depending upon the inherent persuasiveness of the phishing emails. Spear phishing emails have a higher click rate than generic phishing due to the focused nature of the email.

Therefore, measuring a general / average click rate will not provide you with the correct data to evaluate the success of your phishing program.

Layer 8 Security is now be providing a newly developed social engineering framework called the PC-ratio.

This involves the persuasive index of the attack, correlated to the capture rate and the reporting index.

What we really need to do is look at:

This data is then matched to other user behaviour information and other data. We based the persuasiveness scoring on Cialddini’s six key principles, reciprocity, scarcity, authority, commitment, and consistency, liking and consensus (or social proof).


The principle behind it is the persuasiveness of the phishing attack email is how easily persuaded would someone be with the different types of emails.

Each of these categories have differing weights to reflect their level of persuasiveness and the expected difficulty in detecting them.

We also need to consider the position of the person being targeted. Is the email type and persuasiveness relevant to that person?

Click Rate

Another measure that is taken into account to calculate the susceptibility likelihood is the Click rate. This is an obvious metrics, but it must be taken into account with the other factors via the algorithm.

Response Index

To understand staff behaviour, we also need to take into account the Response Index. This is the measurement of the staff reporting the suspected phishing exercise, did they just open it, delete it, click the link etc. These numbers allow us to better understand how staff responded to the phishing email and how they may respond in the future.

Repeat Offence

Finally, we need to consider the repeat offenders. Are some staff members continuously falling for these simulated attacks, subsequently not reporting them, and placing the organisation at risk?


All these factors are then combined using the calculation below to provide us with the Susceptibility Likelihood or more commonly called the Human Risk.

All these factors are then combined using the calculation below to provide us with the Susceptibility Likelihood or more commonly called the Human Phishing Risk.

R = (((( P x C ) + I ) O ) – M )/T

All factors have algorithms attached to them so when they are placed within this simple formula, they provide a risk score for each staff member within the organisation, allowing you to continue to measure their success and response to training.

Our cyber security experts are here to help

We work with businesses of all sizes to help them identify, and then manage their cyber security risks.