Phishing Fail Rate (PFR)
Humans are naturally inclined to trust others, which is why phishing—where criminals pose as trusted sources to trick individuals into sharing sensitive information—is one of the most effective and damaging cybersecurity threats.
Phishing is one of the easiest ways bad actors infiltrate organizations, and they don’t target CEOs or executives—they target employees who least expect it. That’s why cybersecurity training, particularly phishing simulations, is essential. These simulations reveal how prepared your organization is to handle phishing attempts and identify vulnerabilities, such as employees who may click suspicious links. Monitoring your Phishing Fail Rate (PFR) can help prevent breaches that might otherwise cost your organization thousands of dollars.
This article analyzes PFR trends across two companies to assess how phishing simulations impact an organization’s overall cybersecurity posture.
Data Breakdown
The graphic above shows the PFR for two organizations over a 24-month period, both working towards a goal of about 3% to maintain ultimate security.
Since suffering a ransomware attack, Company A quickly made significant strides in improving its cybersecurity posture through phishing simulations and employee training. Their PFR started at about 5%, reflecting the vulnerabilities that led to the attack. However, with focused attention on training and awareness, their fail rate steadily declined, demonstrating the effectiveness of proactive cybersecurity measures. Company A’s recovery highlights how investing in employee training post-breach can transform a crisis into an opportunity for long-term resilience.
Company B, on the other hand, started out with a PFR at a high 15% in the first few months of employee training implementation.
In contrast, Company A maintains consistently low PFR scores, averaging around 2% with some minor fluctuations. Their steady performance exemplifies the importance of regular training and simulations as preventative measures. While Company B shows significant improvement, Company A’s approach shows the success of sustained cybersecurity practices.
The data emphasizes that ongoing training and monitoring are essential to maintaining a low PFR. Company A’s experience shows that even after a breach, organizations can rebuild their defenses through structured cybersecurity programs. Meanwhile, Company B demonstrates the value of staying proactive with consistent training. For organizations like Company B, enhancing training frequency and refining onboarding processes will be crucial for stabilizing performance and reducing future risks.
Additionally, the data reveals spikes in PFR during periods of high employee turnover or when new hires join, suggesting that timely cybersecurity training for
these employees is essential to mitigate increased vulnerability to phishing attacks. Both companies are aiming for a target PFR of 3%, highlighting the importance of continuous improvement in cybersecurity efforts.
Key Factors Contributing to Success or Struggle
Frequent training has a direct impact on PFR. Organizations that conduct weekly cybersecurity training show significantly lower PFRs than those with less frequent sessions.
While these trends indicate improvement over time, it’s important to note that companies with the lowest PFRs are those that maintain regular training schedules. As cybersecurity expert Tim Mazur explains:
“The strongest indicator of an organization’s security is how many employees complete their training regularly.”
This insight highlights that more frequent and consistent training correlates with a lower PFR, reinforcing the need for organizations to prioritize ongoing education.
Why Tracking PFR is Strategically Essential
Phishing simulations mimic real attacks, providing a glimpse into how employees might respond in real scenarios. Monitoring PFR offers a crucial snapshot of an organization’s vulnerability, helping leaders determine how much training is needed to mitigate risk.
These simulations also help pinpoint specific weaknesses within the organization, identifying employees or departments where additional training is required. In this way, PFR becomes a key indicator of an organization’s ability to withstand cyber threats.
What Does a High PFR Mean, and How Can You Improve It?
A high PFR isn’t the end of the world—it’s an opportunity to improve. Here are some actionable steps to lower your PFR:
- Increase the frequency of phishing simulations to reinforce employee awareness.
- Personalize training programs to address common pitfalls and challenges specific to your workforce.
- Make cybersecurity training mandatory to ensure every employee is prepared to handle potential threats.
- Ask Your IT Provider for more information.
Even if your PFR is currently low, it’s essential to remain proactive. Consistent training and ongoing simulations are crucial to maintaining success, especially as phishing tactics continue to evolve.
Conclusion
The data shows that while most companies in this analysis are moving in the right direction, maintaining a low PFR requires ongoing effort and vigilance. None of the organizations achieved a perfect 0% PFR across the 24-month period, underscoring that continuous improvement is necessary to stay secure.
By monitoring PFR, implementing regular training, and identifying weaknesses early, organizations can build a resilient cybersecurity culture that’s prepared for future threats.
Recent Comments