What are the most important phishing simulation KPIs?

The five KPIs that belong on an executive packet are click-through rate by campaign, training completion rate, time-to-remediation (median hours from click to training completion), repeat-clicker rate and trend over the last four campaigns. Anything beyond that is operational detail for the security team, not the C-suite.

What is a good phishing simulation click rate?

A first-time program typically reports a click rate of 25-35%. Programs in their second year usually trend into the 10-15% range. Mature programs (3+ years, monthly cadence, automated remediation) typically run below 5%. The absolute number matters less than the trend; underwriters and auditors expect to see directionally improving cohorts.

What is repeat-clicker rate?

Repeat-clicker rate is the percentage of users who clicked a simulated phish in the current period and also clicked one in the prior period. It is the most predictive indicator of organizational risk. A user who clicks once is human; a user who clicks every campaign is a cohort that needs targeted intervention. Carriers and boards both respond strongly to a falling repeat-clicker rate.

How do I show ROI on phishing training to executives?

ROI on phishing training is most credible when expressed as avoided breach cost. Reference the IBM Cost of a Data Breach Report's average cost figures, multiply by your industry's phishing-attributed breach rate from Verizon DBIR data, then compare to program cost. Even conservative assumptions produce ROI ratios that comfortably exceed 10:1, which is sufficient for any CFO's threshold.

What metrics should I drop from my executive report?

Drop email-open rate (it's noisy and hard to attribute given inline preview behavior), drop campaign volume as a vanity metric (running more campaigns is not an outcome), drop content-library size and drop any metric that doesn't have a comparison period attached. If a number doesn't have a trend line, it doesn't belong in front of executives.

How often should I report phishing metrics to executives?

Quarterly is the right cadence for most boards and audit committees. Monthly creates noise without enough signal between data points. Annual is too far apart to show meaningful trends. Pair the quarterly written report with an annual deep-dive that includes year-over-year trends, industry benchmarks and program roadmap.

Phishing Metrics That Matter to Executives

Phishing Simulation Metrics That Actually Matter to Executives

By The Bait & Phish Team
Reporting, KPIs, vCISO

Most phishing simulation reports presented to executives die in the first slide. The reason is rarely the program itself - it's that the metrics chosen for the slide are the ones the platform exports by default rather than the ones an audit committee or CEO actually cares about. The dashboard ships with twelve charts; the executive packet needs four. The rest belongs in the appendix or, more often, nowhere at all.

This is the metrics shortlist for CISOs, vCISOs and security program owners who report to a board, a CEO, an audit committee or a cyber insurance broker. It is intentionally short. It is intentionally trend-oriented. And it is structured to survive the question every executive eventually asks: "so what?"

The four KPIs that belong on the slide

1. Click-through rate by campaign, with a trend line over the last four campaigns. A single number is meaningless. A number with a trend is a story. The chart should show four bars (or four points) with the campaign date underneath each one. Industry context: the Verizon DBIR class of breach data has reinforced for years that initial-program click rates run in the 25-35% range; mature programs trend below 5%. Where you are matters less than which way you're going.

2. Training completion rate within 7 days of click. This is the metric that separates a program from theater. If 90% of users who click complete training within a week, your remediation pipeline is working. If 40% do, it isn't and the click-rate number above is misleadingly clean. Cyber insurance carriers ask for this number specifically.

3. Time-to-remediation (median hours from click to training completion). Translates the completion rate into a velocity. A board chart that shows median time-to-remediation falling from 96 hours to 18 hours over a year is a clearer story of program improvement than a flat 90% completion number.

4. Repeat-clicker rate. The percentage of users who clicked in the current campaign and clicked in the prior campaign. This is the single most predictive indicator of organizational risk you can put in front of an executive - it tells them where the residual exposure actually lives. Pair it with a brief note on what targeted intervention is happening for that cohort (one-on-one training, manager involvement, role-based privilege review).

Four KPIs. One slide. The rest is appendix.

Vanity metrics to drop

Email-open rate. Inline image preview, threat scanners, mobile preview panes - open events have so much non-human noise that the number is uninterpretable. Click is the meaningful event.
Number of campaigns run. Activity, not outcome. Volume belongs in the operational dashboard, not the executive packet.
Library size, "templates available." A vendor-supplied vanity metric that doesn't reflect anything about your program.
Reports submitted (without context). The volume of "report phish" button clicks is meaningful only when expressed as a ratio against actual phishing volume. As a raw number it tells you nothing.
Average score per user (gamified points). Useful for end-user engagement; not a KPI for executives.

How to frame the trend line for an executive audience

Three rules for executive trend reporting:

Always include a comparison period. Quarter-over-quarter and year-over-year. A single quarter's number invites the question "is that good?" - the comparison answers it preemptively.
Annotate inflection points. If the click rate jumped from 12% to 19% in Q3, the chart should say "added Sales department onboarding cohort." Otherwise the executive will reach the wrong conclusion. Marsh and Aon both publish broker guidance recommending narrative annotation alongside trend lines for the same reason - the chart without context is worse than no chart.
Tie one number to a dollar figure. The IBM Cost of a Data Breach report's annual averages are the standard external reference; you don't need to re-derive them. A single line - "median phishing-initiated breach cost in our industry is $X; our trend reduces probability of incident by Y%" - is more memorable than any chart.

Cohort segmentation for the appendix

The four KPIs above belong on the executive slide. The same KPIs broken out by cohort belong in the appendix and in the operational dashboard. Useful cohort splits:

By department. Finance, Sales, IT, Operations and Executive cohorts behave differently. Finance click rates often run lower than the average; Sales and Marketing run higher because of the volume of legitimate external email these teams handle.
By tenure. First-90-days hires are systematically more vulnerable. If you can break out the new-hire cohort, do.
By difficulty. A 4% click rate on easy templates is a different result than a 4% click rate on hard templates. Reporting both prevents executives from drawing false-confidence conclusions.
By channel. Email click rate, SMS click rate, voice (vishing) compliance rate. Multi-channel programs should report each channel separately; aggregating them hides important variance.

The dollar-translation paragraph

Every executive packet should include one paragraph that ties the program's metrics to a dollar figure. Not a forecast, not a projected ROI calculation, but a defensible reference point that an executive audience can recognize. Two patterns that work:

Avoided breach cost framing. "The IBM Cost of a Data Breach Report's annual industry average for our sector is $X. Phishing remains the top initial-access vector in Verizon DBIR data; our continuous program reduces that probability by an estimated factor of Y based on Forrester and Gartner research on the category." Conservative numbers, named external sources, no fabricated precision.
Insurance premium reduction framing. "Our broker has indicated that maintaining our current continuous phishing program supports a Z% reduction off baseline cyber insurance premium. On our current $A premium, that is roughly $B annually." This is the line that lands hardest with CFO and audit committee audiences because it is observable rather than probabilistic.

A single dollar paragraph framed against named external sources does more work in front of an executive audience than any chart in the deck. Our full ROI model walks through both calculations in detail.

Reporting cadence and what each audience expects

Different executive audiences expect different cadences and different framings of the same underlying metrics:

Board (full): Quarterly. Four-page packet. Trend lines, cohort heatmap, three findings, forward roadmap. Annual deep-dive in Q4 or Q1.
Audit committee: Quarterly to monthly. May see more granular cohort data than full board, including executive-cohort metrics that don't go in the broader packet.
CEO direct report: Monthly. Single dashboard view, no slides. The CEO doesn't need a packet between board cycles; they need to know if anything has materially changed.
CFO: Quarterly with annual budget cycle integration. The dollar-translation paragraph matters most for this audience; the cohort detail matters least.
Cyber insurance broker: Annually at minimum, with renewal-cycle interim updates. Wants the 12-month campaign list and the per-campaign click rate trend, formatted to map onto the carrier's specific application.
SOC 2 auditor: Annually as part of the audit fieldwork. Wants the campaign list, completion rates, written policy and per-incident remediation evidence - all of which the same dashboard produces.

Same underlying KPIs across all six audiences. Different cadence, different framing, different paper. The platform should produce all six views from a single data source so the program owner is not rebuilding reports per audience every quarter.

The board-packet template

The structure that has consistently survived board scrutiny:

Page 1: The four KPIs above, four-quarter trend, one short narrative paragraph.
Page 2: Cohort heatmap (department by KPI), with one paragraph naming where intervention is happening.
Page 3: Top three lessons learned this quarter (which template family had the highest click rate, which cohort regressed, which targeted training campaign launched in response).
Page 4: Forward-looking program roadmap - what's changing next quarter and why.
Appendix: Per-campaign detail, per-user repeat-clicker list (anonymized to manager-level), reference to cyber insurance application alignment.

Four pages. No more. If a board has 90 minutes and 14 agenda items, your security awareness section gets four pages and eight minutes. Earn the eight minutes by making the four pages count.

What this looks like inside the platform

Bait & Phish reporting is structured around discrete campaign cohorts so the four KPIs above are computed natively rather than reconstructed from a continuous activity log. Click-through rate, completion rate, time-to-remediation and repeat-clicker rate are all native dashboards with quarterly export. Cohort breakdowns by department and difficulty are filterable, and PDF exports are formatted for board, audit and broker consumption without manual cleanup.

If you're rebuilding your executive reporting and want a platform that produces the four KPIs natively, start a free trial with up to 25 users and run a campaign through the full reporting cycle. If you want help mapping these KPIs to your specific reporting obligations - board, auditor, carrier - contact us and we'll walk through it on a call. Pricing for full deployments is visible on the site.

Related reporting and metrics guides

27may