Phishing Risk Score: Measure Your Organisation's Phishing Resilience
More than 90% of all successful cyber attacks begin with a phishing email. Technical controls alone are not enough: the human factor ultimately determines whether an attack succeeds. Our Phishing Risk Score tool measures both sides of your defence and provides a realistic picture of how resilient your organisation truly is against phishing, spear phishing, smishing, vishing and Business Email Compromise.
What is the Phishing Risk Score tool?
The Phishing Risk Score is an online assessment that measures your organisation's phishing resilience on two levels: technical protection and human resilience. The tool analyses which technical controls you have implemented (email filtering, SPF/DKIM/DMARC, MFA) and how well your employees are trained to recognise and report phishing.
The result is a risk score from 0 to 100, broken down into a technical and a human component. An organisation with strong technical filters but untrained employees scores fundamentally differently from an organisation with basic technology but an excellent security awareness culture. By combining both factors, the tool provides a realistic overall picture.
Phishing is not only the most common attack vector, it is also the attack vector that evolves the fastest. Attackers deploy increasingly sophisticated techniques, from AI-generated spear phishing to deepfake voice phishing. Only organisations that continuously strengthen both their technical defences and their human firewall will remain resilient in the long term.
Methodology and sources
The Phishing Risk Score is based on leading industry data and frameworks:
- KnowBe4 Phishing Industry Benchmarks -- the largest global study of phishing click rates, with data from millions of simulated phishing emails across hundreds of sectors. These benchmarks provide the sector averages against which your organisation is measured.
- Proofpoint State of the Phish -- annual research into phishing trends, attack techniques and the effectiveness of awareness programmes. Offers insight into which types of phishing are most successful per sector.
- NIST 800-61 -- the Computer Security Incident Handling Guide from the National Institute of Standards and Technology, which provides the framework for incident response and reporting procedures.
The tool combines these sources into a scoring model that weighs technical protection and the human factor. Technical controls form the first line of defence: they filter the vast majority of phishing attempts before employees ever see them. But no filter is 100% effective. The phishing emails that get past the technical filters are precisely the most sophisticated and dangerous. At that point, the human factor is decisive.
How does the tool work? 2 steps to your phishing risk profile
Inventory technical protection
In the first step, you map out your organisation's technical anti-phishing controls. You start by selecting your sector, because click rates and attack patterns vary significantly by industry. You then indicate which technical controls are in place:
- Email filtering / anti-spam -- the baseline that stops the majority of phishing emails before they reach the inbox.
- SPF/DKIM/DMARC -- email authentication protocols that prevent attackers from spoofing emails from your domain and make it harder to forge sender addresses.
- URL scanning -- real-time checking of links in emails against known and unknown malicious destinations.
- Attachment sandboxing -- opening attachments in an isolated environment to detect malware before the attachment reaches the user.
- MFA on all accounts -- an additional verification layer that prevents stolen credentials from immediately leading to account takeover.
- Browser isolation / web filtering -- an additional security layer that prevents employees from reaching malicious websites, even if they click on a phishing link.
Finally, you indicate how broadly MFA has been deployed: from not implemented to full coverage for all employees. The MFA adoption rate is a critical factor, because a chain is only as strong as its weakest link. Even if 95% of employees use MFA, the remaining 5% represent an attack vector that attackers actively exploit.
Technical controls are the first layer of defence, but they do not catch everything. According to Proofpoint, an average of 7% of phishing emails pass all technical filters. For targeted spear phishing, this percentage is even higher. That is why the second step is equally important.
Assess the human factor
The second step analyses how well your employees are prepared for phishing. The human factor is the weakest link in cybersecurity, yet at the same time the most trainable. Four indicators are measured:
- Training frequency -- how often do employees receive security awareness training? The options range from no training to continuous (quarterly or more). Research by KnowBe4 shows that organisations with continuous training reduce their click rate by an average of 86% compared to untrained employees.
- Phishing simulations -- are simulated phishing attacks conducted to test resilience? One-off simulations provide a snapshot, but only with regular simulations (quarterly or more) does a measurable trend and a continuous learning effect emerge.
- Click rate -- what is the average click rate in phishing simulations? This percentage is the most direct indicator of human resilience. The scale runs from unknown (never measured) to less than 5% (excellent). Organisations that do not know their click rate have, by definition, an elevated risk.
- Reporting culture -- how well do employees report suspicious emails? An active reporting culture with a phish alert button is the ultimate indicator of security awareness. The difference between "I ignored it" and "I reported it" can be the difference between a thwarted attack and a full-scale data breach.
The human factor carries significant weight in the overall score, and rightly so. An organisation with perfect technical protection but untrained employees is vulnerable the moment a sophisticated phishing email slips through the filters. Conversely, a strong security culture can compensate for technical shortcomings: an employee who recognises and reports a phishing email prevents an incident regardless of the technology in place.
What do you get?
After completing both steps, the tool generates a comprehensive risk profile:
- Phishing Risk Score (0-100) -- your overall score indicating how resilient your organisation is against phishing attacks. The higher the score, the better protected you are.
- Category scores -- separate scores for technical protection and human resilience. This allows you to see immediately where your strengths and areas for improvement lie.
- Sector comparison -- how does your organisation score relative to the average in your sector? Based on KnowBe4 and Proofpoint benchmark data.
- Priority recommendations -- concrete improvement actions, ranked by impact. The tool focuses on the controls that make the biggest difference for your specific profile.
Free report: instant insight into your phishing resilience
The free PDF report gives you a clear overview of your organisation's phishing resilience. You receive your risk score, an analysis of strengths and weaknesses, and concrete recommendations you can apply immediately. The report is suitable for sharing with management and IT stakeholders.
- Phishing Risk Score with category breakdown
- Overview of strengths and weaknesses
- Top priority recommendations
- Sector average as reference
Premium assessment: in-depth phishing risk analysis
The premium assessment goes beyond an overall score. You receive an in-depth analysis that examines your phishing resilience from multiple angles and delivers a concrete improvement plan.
- Analysis of 5 phishing types -- separate risk assessments for email phishing, spear phishing, smishing (SMS), vishing (voice) and Business Email Compromise (BEC). Each variant has different attack characteristics and requires different defence strategies.
- Estimated click rate per attack type -- based on your profile and sector data, an estimate of how many employees would click on each variant. This makes the risk of specific attack techniques tangible.
- Sector comparison on KnowBe4/Proofpoint data -- detailed benchmark against your sector based on the most recent industry data, including trend analysis showing how sectors are developing.
- Complete awareness programme with training schedule -- a detailed annual plan for security awareness, with training frequency, simulation schedule, escalation models and measurable KPIs to monitor progress.
- Technical recommendations -- detailed implementation advice for DMARC, SPF, DKIM and email gateway configuration. Including step-by-step instructions and recommended settings.
- Role-based risk analysis per department -- not every employee has the same risk profile. Finance staff are the primary target for BEC, while HR is vulnerable to recruitment fraud. The premium report analyses risks per department and provides targeted recommendations.
Free vs. premium comparison
| Component | Free | Premium |
|---|---|---|
| Phishing Risk Score | ✓ | ✓ |
| Category scores (technical vs. human) | ✓ | ✓ |
| Priority recommendations | ✓ | ✓ |
| Sector comparison (basic) | ✓ | ✓ |
| Analysis of 5 phishing types | ✗ | ✓ |
| Estimated click rate per attack type | ✗ | ✓ |
| Extended sector comparison with trend data | ✗ | ✓ |
| Complete awareness programme with training schedule | ✗ | ✓ |
| Technical recommendations (DMARC/SPF/DKIM/gateway) | ✗ | ✓ |
| Role-based risk analysis per department | ✗ | ✓ |
Frequently Asked Questions
What exactly is phishing?
Phishing is a form of social engineering in which cybercriminals impersonate a trusted party -- a bank, supplier, colleague or government agency -- to trick victims into sharing sensitive information, clicking on a malicious link or transferring money. The word derives from "fishing": the attacker casts a line and hopes someone bites. Phishing has been the most common attack vector for more than two decades and is responsible for more than 90% of all successful cyber attacks.
How do you recognise a phishing email?
Classic signals include unusual sender addresses (watch for subtle spelling differences), urgent or threatening language ("your account will be blocked within 24 hours"), unexpected attachments, suspicious links (hover over the link to see the actual address), language errors and requests for sensitive information that the legitimate organisation would never ask for by email. Modern phishing is becoming increasingly harder to detect, however. AI-generated emails no longer contain language errors, and personalised spear phishing uses information from LinkedIn and company websites. That is why ongoing training with regular simulations is more effective than relying on recognition cues alone.
What percentage of employees click on phishing?
According to the KnowBe4 Phishing Industry Benchmarks, an average of 34% of untrained employees click on a phishing link. After 90 days of security awareness training, this drops to an average of 18%. After a year of continuous training with regular simulations, the click rate drops to an average of 5%. The exact percentage varies significantly by sector: healthcare and education typically score higher, while the financial sector and technology companies score lower due to stricter compliance requirements and higher security awareness.
How often should you conduct phishing simulations?
Best practice is to conduct phishing simulations at least quarterly, preferably monthly. Research shows that the effect of a one-off training fades within three months. Regular simulations keep employees alert and create a measurable trend that allows you to demonstrate the effectiveness of your awareness programme. Variation is key: alternate between standard phishing, spear phishing, smishing (SMS) and vishing (voice), and vary the difficulty level. A good simulation programme is not intended to punish employees, but to foster learning and continuously strengthen the organisation's resilience.
What is DMARC and why is it important against phishing?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that works in conjunction with SPF and DKIM to prevent attackers from sending emails that appear to originate from your domain. Without DMARC, an attacker can send an email that appears in your customer's inbox as though it came from your organisation. With DMARC set to "reject", such forged emails are blocked. Additionally, DMARC provides reports that show who is sending emails on behalf of your domain. Despite its importance, according to research only 30% of Dutch organisations have DMARC correctly configured at enforcement level.
Does MFA help against phishing?
MFA (Multi-Factor Authentication) is one of the most effective layers of defence against phishing. If an employee accidentally enters credentials on a phishing page, the attacker cannot log in without the second factor (SMS code, authenticator app or hardware key). Microsoft estimates that MFA blocks more than 99% of credential-based attacks. Note, however, that advanced attackers use real-time phishing proxies (such as EvilGinx) that can also intercept MFA tokens. The strongest protection is provided by phishing-resistant methods such as FIDO2 keys and passkeys, which are cryptographically bound to the legitimate domain and cannot be transferred to a phishing site.
What is spear phishing and how does it differ from regular phishing?
Regular phishing is mass-distributed and impersonal: the same generic email is sent to thousands or millions of recipients. The click rate is low, but the volume makes it profitable for attackers. Spear phishing targets a specific individual or small group, with personalised content based on publicly available information. A spear phishing email might reference a recent project, mention a colleague by name or capitalise on a current company event. Due to this personalisation, the click rate for spear phishing is up to ten times higher than for regular phishing. Business Email Compromise (BEC) is the most advanced form: the attacker impersonates the CEO or CFO and requests a financial transaction.
What are the costs of a successful phishing attack?
The costs depend heavily on the type of attack and its consequences. A successful Business Email Compromise costs an average of 125,000 euros per incident, according to FBI IC3 data. If a phishing attack leads to a data breach, costs escalate to an average of 4.76 million dollars globally (IBM Cost of a Data Breach 2024). For Dutch SMEs, the average costs of a cyber incident caused by phishing range between 50,000 and 200,000 euros, including direct damage, recovery costs, productivity loss and legal expenses. In addition, there are indirect costs such as reputational damage and customer attrition that are difficult to quantify but are often substantial.
Calculate Phishing Score
Measure your organisation's phishing resilience right away. Receive your risk score, category breakdown and priority recommendations in a clear PDF report.
Start free assessmentIn-depth phishing analysis
Receive an analysis of 5 phishing types, estimated click rate per variant, complete awareness programme and role-based risk analysis for € 79.
Start premium assessment