Our security team wants to include phishing and vishing (voice phishing) in our next engagement. How do we quantify the risk of a successful social engineering attack to the board? Is it enough to just say "5% of people clicked," or should we be looking at deeper impact metrics?
3 answers
Clicking a link is just the "entry" metric; the real impact is what happens next. You need to track "Payload Execution" and "Credential Harvest." For example, if 5% clicked but 100% of those entered their corporate credentials into a fake login page, that’s a critical failure. Furthermore, measure "Lateral Movement" potential. If you gain access to one workstation via phishing, how far can you go? Can you reach the domain controller? The board cares about the "Crown Jewels." Showing that a single phishing email led to the compromise of the CFO’s mailbox is far more impactful than just showing a high click rate percentage.
Reporting is one thing, but how do you handle the potential "employee backlash" when people feel tricked or embarrassed by the security team?
Include a "Time to Compromise" metric. Showing that it took only 15 minutes from sending the email to gaining admin access really highlights the speed of modern threats.
That’s a powerful metric, Louis. It demonstrates to leadership that detection time is just as important as prevention.
This is where the "Ethical" part is crucial. You must ensure the results are anonymized in the final report. Never "name and shame" individual employees to management. Instead, frame it as a systemic training gap. Use the results to justify better technical controls, like hardware MFA, which would have neutralized the stolen credentials anyway. The goal is to build a "blame-free" culture where employees feel comfortable reporting mistakes rather than hiding them out of fear of being fired.