A phishing simulation shows 30% of staff clicked the link. What's the constructive response?
Short answer
A 30% click rate is a baseline to improve, not a list of people to punish: pair role-based training and a frictionless report button with technical defenses (MFA, email filtering, least privilege) so a single click doesn't lead to compromise, and track the trend over time. Publicly shaming employees suppresses the reporting you depend on. Declaring the workforce hopeless removes a control you should be strengthening. Another scary all-staff email isn't a measurable intervention and doesn't change behavior.
A phishing simulation is a measurement tool, not a trap. A 30% click rate tells you the human layer needs work and that your technical safety net must assume clicks will happen. The scenario tests whether a CISO responds like a program manager improving a system or like a disciplinarian blaming individuals.
Why treating it as a program signal is correct
The right response works on two layers at once. On the human layer: deliver targeted, role-based training (especially to the clickers and high-risk roles), and deploy an easy report button so reporting a suspicious email is one click — reporting rate becomes a leading indicator of a healthy culture. On the technical layer: assume someone will always click, and make that click non-catastrophic with MFA, strong email filtering, least privilege, and isolation. Then you measure the trend across future simulations. That combination reduces real-world risk; a single number in isolation does not.
Why the distractors fail
- Publicly name and punish. Shame is counterproductive. It teaches people to hide mistakes and not report when they actually fall for a real attack — destroying your earliest detection signal.
- Declare the workforce hopeless and stop training. This abandons a control you should be improving. People are trainable, and giving up guarantees the number never moves.
- Send one more scary all-staff email. Fear isn't a measurable intervention. Blast emails change nothing durably and often increase anxiety without improving behavior or your metrics.
What the interviewer is probing
They want a systems mindset: human risk is managed with training plus technical controls plus measurement, and a no-blame culture that maximizes reporting. The weak candidate reaches for punishment or fatalism — both feel like decisive action but actively make the organization less safe by suppressing the reporting and engagement a CISO needs.
Likely follow-ups
- Why can a high report rate matter more than a low click rate as a program metric?
- How do you make sure phishing simulations build trust rather than punish, while still being realistic?
- Which technical controls reduce the impact of a click even when training fails?