Skip to main content


Home Phish-prone percentage

Phish-prone percentage

Phish-prone percentage definition

Phish-prone percentage refers to a metric used to assess a company’s vulnerability to a phishing attack. The phish-prone percentage is calculated by dividing the number of employees who fell for a phishing test by the total number of employees who were tested. The result is then multiplied by 100 to get the percentage. For example, if an organization has 100 employees and 20 of them clicked on a phishing email during a test, the phish-prone percentage would be 20%.

This metric can be useful in assessing the effectiveness of an organization's cybersecurity training. A high percentage would indicate that employees need more education on how to identify and avoid phishing scams.

See also: active defense, anti-phishing-service, spear phishing

How to evaluate phish-prone percentage

  1. 1.Plan the campaign. First, decide on the scope of the campaign and the type of an email you’re going to send. For example, you can send a generic spam email to the entire organization or prepare a more sophisticated attack against a subset of employees.
  2. 2.Create phishing emails. Craft your emails to look authentic enough to trick an unsuspecting employee.
  3. 3.Launch the campaign and gather data. Track who opens the email and who clicks on the links or attachments.
  4. 4.Analyze the results. Calculate your phish-prone percentage and evaluate the need for cybersecurity training.