Skip to content

A phishing simulation shows 30% of staff clicked the link. What's the constructive response?

Short answer

A 30% click rate is a baseline to improve, not a list of people to punish: pair role-based training and a frictionless report button with technical defenses (MFA, email filtering, least privilege) so a single click doesn't lead to compromise, and track the trend over time. Publicly shaming employees suppresses the reporting you depend on. Declaring the workforce hopeless removes a control you should be strengthening. Another scary all-staff email isn't a measurable intervention and doesn't change behavior.

A phishing simulation is a measurement tool, not a trap. A 30% click rate tells you the human layer needs work and that your technical safety net must assume clicks will happen. The scenario tests whether a CISO responds like a program manager improving a system or like a disciplinarian blaming individuals.

Why treating it as a program signal is correct

The right response works on two layers at once. On the human layer: deliver targeted, role-based training (especially to the clickers and high-risk roles), and deploy an easy report button so reporting a suspicious email is one click — reporting rate becomes a leading indicator of a healthy culture. On the technical layer: assume someone will always click, and make that click non-catastrophic with MFA, strong email filtering, least privilege, and isolation. Then you measure the trend across future simulations. That combination reduces real-world risk; a single number in isolation does not.

Why the distractors fail

  • Publicly name and punish. Shame is counterproductive. It teaches people to hide mistakes and not report when they actually fall for a real attack — destroying your earliest detection signal.
  • Declare the workforce hopeless and stop training. This abandons a control you should be improving. People are trainable, and giving up guarantees the number never moves.
  • Send one more scary all-staff email. Fear isn't a measurable intervention. Blast emails change nothing durably and often increase anxiety without improving behavior or your metrics.

What the interviewer is probing

They want a systems mindset: human risk is managed with training plus technical controls plus measurement, and a no-blame culture that maximizes reporting. The weak candidate reaches for punishment or fatalism — both feel like decisive action but actively make the organization less safe by suppressing the reporting and engagement a CISO needs.

Likely follow-ups

  • Why can a high report rate matter more than a low click rate as a program metric?
  • How do you make sure phishing simulations build trust rather than punish, while still being realistic?
  • Which technical controls reduce the impact of a click even when training fails?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.