For a decade, the "Phish Prone Percentage" (Click Rate) has been the gold standard. It’s time to retire it. A low click rate on an easy template doesn't mean you're secure. A high click rate during a difficult simulation doesn't mean you're failing.
Why Click Rates Fail
- Volatility: One hard campaign can spike the rate, causing panic.
- Context-Free: It ignores who clicked. A click from a reception desk is bad; a click from a Domain Admin is catastrophic.
- Reactive: It only measures failure, not resilience.
The Modern Human Risk Score
A comprehensive Human Risk Score acts like a credit score for cyber behavior. It aggregates data from multiple sources:
1Behavioral History
Past simulation performance and training completion.
2Role Criticality
Does this user have Admin rights? Access to PII?
3Real-World Events
Data from API connectors (e.g., did they disable MFA?)
4Exposure
Is their email on the dark web?
How to Use the Score
Dynamic Policy: Automatically trigger stricter MFA for users with scores below 600.
Targeted Intervention: Assign 'remedial coaching' only to the riskiest 10%.
Board Reporting: Show the trend of risk reduction, not just activity.
Move beyond compliance. Learn about Autonomous HRM.
