Phishing Simulation Results: Every Metric Explained [2026]

A phishing simulation produces a dozen numbers, and most teams act on the wrong one. The instinct is to fixate on click rate and treat a low number as success — but the Verizon Data Breach Investigations Report is clear that the human element sits behind the large majority of breaches, and a single headline percentage tells you almost nothing about which humans, how fast, or what to do next. The value of a simulation is in the full results report, read correctly.

This guide explains every field you will see after a campaign runs: what it measures, how it is calculated, how to interpret it, and the action each metric should trigger. Where a "good" number depends on your sector, it links to the industry benchmark rather than quoting a figure out of context.

Emails delivered — the denominator everything depends on

Before any rate means anything, confirm how many messages actually reached inboxes. Delivered count is the denominator for every percentage in the report. A high bounce or block rate — anything above roughly five percent — usually points to a sending or domain-configuration issue rather than employee behaviour, and it quietly distorts every metric below it. Always confirm delivery before drawing conclusions from rates.

Click rate — the primary success metric

What it measures: the percentage of employees who clicked the simulated phishing link.

How it is calculated: employees who clicked, divided by messages delivered, times one hundred.

How to interpret it: click rate is the headline, but it is only meaningful against a baseline and a sector benchmark. A first-ever simulation will run high; the number that matters is the trend over subsequent campaigns. What counts as typical varies widely by industry — see our phishing click rate benchmarks by industry for where your sector sits, and the mobile benchmarks for why smartphone clicks run higher.

The action it triggers: assign remedial training to everyone who clicked, and track the rate down over time rather than judging a single campaign. For the levers that actually move it, see how to reduce phishing click rate.

Credential submission rate — the highest-severity field

What it measures: the percentage of employees who not only clicked but also entered credentials on the simulated login page.

How it is calculated: credentials submitted, divided by messages delivered, times one hundred.

Why it matters more than click rate: a click is recoverable; a submitted credential is the event an attacker actually needs. This is the most severe failure in any simulation, and it identifies your highest-risk users with precision.

The action it triggers: prioritise submitters for immediate, targeted training and confirm multi-factor authentication is enforced on their accounts. Re-test this group within the next campaign cycle rather than waiting for the quarterly rotation.

Report rate — the positive behaviour you are actually building

What it measures: the percentage of employees who correctly identified the message as phishing and reported it.

How it is calculated: employees who reported, divided by messages delivered, times one hundred.

Why it matters: click rate is a punishment metric; report rate is the behaviour worth building. An employee who reports a phishing attempt protects the whole organisation, not just themselves, because the security team can then block the campaign for everyone else. A mature program is defined as much by rising report rate as by falling click rate. For sector context, see our phishing reporting rate benchmarks by industry.

The action it triggers: make reporting effortless — a one-click button beats a "forward to IT" process — and recognise early reporters so the behaviour spreads.

Time to click and time to report — the speed metrics

What they measure: how quickly employees click the link, and how quickly the first reports arrive, after delivery.

Why they matter: speed determines blast radius. Fast clicks indicate impulsive, urgency-driven behaviour and mark the highest-risk responders. Fast reporting, conversely, is what makes early containment possible — a campaign identified and blocked within the first half hour compromises a fraction of the employees that the same campaign reaches over six hours. Detection speed varies sharply by sector and is driven by organisational design more than employee capability; see our analysis of average time to report phishing emails.

The action they trigger: flag rapid clickers for urgency-resistance training, and invest in the reporting interface, because shaving hours off time-to-report does more for containment than another point off click rate.

Repeat clicker rate — where risk concentrates

What it measures: the share of clicks coming from employees who also failed previous simulations.

Why it matters: human risk is not evenly distributed. A small group of repeat clickers typically accounts for a disproportionate share of future incident risk, which means generic, everyone-gets-the-same-module training is inefficient.

The action it triggers: route repeat clickers into a progressive, escalating training pathway and increase their simulation frequency, rather than spreading the same effort across the whole workforce.

Per-department breakdown — the most actionable view

What it measures: every metric above, segmented by department, team, or job function.

Why it matters: an aggregate click rate is interesting; a department-level breakdown is actionable. It tells you exactly where to spend training budget. Finance and accounts payable carry wire-fraud and invoice exposure; HR is targeted for payroll and benefits fraud; executive assistants face impersonation; new hires are tested during onboarding. The Internet Crime Complaint Center data on business email compromise shows how concentrated financial losses are in exactly these functions.

The action it triggers: rank departments by risk, then tailor simulation frequency and template type to each function — invoice-fraud scenarios for finance, impersonation for executive support. Our department-level benchmarks show the typical spread.

Training completion and risk-score change — the follow-through

A simulation without follow-up is a gotcha, not a program. Two fields close the loop:

Training completion rate — the share of assigned remedial training that employees actually finish. High completion with low engagement is a weak signal; see why in our completion rate benchmarks.
Risk-score change — the aggregate and per-employee movement in behavioural risk over time. This is the metric that translates individual campaign results into a trend leadership can act on.

Together these answer the only question that matters across campaigns: is human risk going down?

Reading the full report — common mistakes

Optimising for a low click rate with easy templates. A one-percent click rate on an obvious lure means nothing. Use realistic difficulty to get data that reflects real exposure.
Ignoring report rate. Tracking only failure misses the positive behaviour you are trying to build.
Sending every campaign at the same time. Real phishing does not arrive at 9 a.m. Monday. Vary send timing to capture the full behavioural range — and run them at a sensible cadence.
Reading only the aggregate. The per-department view is where the decisions are.

A phishing simulation is only as useful as the report you read afterwards. PhishSkill surfaces every metric here in real time — per employee, per department, with risk scores that update after each campaign and one-click compliance export — and automatically assigns the right training based on what each employee did. Run a baseline simulation and read the full report, not just the headline number.