People who don’t open live phishing test messages, don’t count. Well, what I mean is that it’s inaccurate to call this a “pass”. Whether they even see the message at all often depends on the subject line, and  how it resonates with an individual.

How can we use that data if we don’t know why they didn’t open it? Did the employee recognize the email as a test, just by seeing the subject line?

If an employee recognizes the subject line as a likely phishing test, that may be a good thing. But, if we don’t know “why” they didn’t open it, we can’t assume they are capable of spotting other key elements of phishing threats.

Different message subject lines will resonate differently with each employee. For example:

– Do they want “concert tickets”?
– Have they already done their holiday shopping?
– Did they just get a payroll deposit, and the subject is suspect?
– Does subject line only matter to some in the organization?

A computer mouse representing click through rates

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

These are the kinds of questions that organizations need to consider within each and every live phishing test campaign.

How compelling should the subject line be? This deliberation takes a lot of time and effort, which many organizations don’t recognize. What we decide to put into the subject line has such a great effect on whether the employee even opens the message, that the “click rate” will be far from accurate.

This means there is only marginal value in tracking a trend based only on “click rates”. When you think about it carefully, how much does the “click rate” really mean when the subject line itself can skew the data a lot? And how do you measure employees’ ability to spot other elements of phishing attacks if the “click rate” is the only thing we know?

We need a more accurate and reliable way to measure employees’ capabilities for spotting threats, to manage their vulnerability.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.