Notifications
Clear all
Topic starter
27/06/2026 1:56 pm
TL;DR: Credential theft drives about 50% of breaches, according to Abnormal AI, yet most simulations still track clicks rather than credential entry, which is the more serious breach indicator. The practical shift is from awareness reporting to behavior-based risk measurement, because completion metrics alone do not tell security leaders whether training reduces exposure.
NHIMG editorial — based on content published by Abnormal AI
Questions worth separating out
Q: How should security teams measure human risk in phishing simulations?
A: They should measure more than clicks.
Q: Why do credential phishing simulations matter more than generic awareness tests?
A: Credential phishing simulations matter because they model the attacker goal, not just user attention.
Q: What should organisations do after employees submit credentials in a simulation?
A: Treat the result as a risk indicator, not a training score.
Practitioner guidance
- Measure credential submission separately from click rates Track when users enter credentials on simulations as a distinct event class, then use that signal for risk scoring, escalation, and follow-up training.
- Segment follow-up training by behaviour, not by attendance Use simulation results to identify top reporters, repeat clickers, and users who submit credentials, then route each group into different interventions instead of a single generic refresher.
- Build board reporting around resilience metrics Replace manual spreadsheet preparation with a small dashboard set that shows reporting rates, behavioural trends, and changes over time across simulation types, so governance reviews reflect risk movement.
What's in the full article
Abnormal AI's full post covers the operational detail this post intentionally leaves for the source:
- Executive dashboard fields and reporting views that security leaders can use for board preparation
- Enhanced reporting workbook outputs for BI tools and segmented analysis
- Credential-phishing simulation examples that mirror fake SaaS login prompts and reauthentication pages
- Guidance for routing users who submit credentials into targeted follow-up training
👉 Read Abnormal AI's update on executive dashboards and credential phishing simulations →
Credential phishing and human risk: what security teams miss?
Explore further
27/06/2026 3:28 pm
Credential entry is the governance signal that matters, not click-through volume. A user who types credentials into a spoofed page has crossed from awareness failure into identity exposure. That distinction should shape programme design because click metrics can be inflated by curiosity while credential submission points to likely compromise behaviour. The implication is that human risk programmes need to classify simulation outcomes by breach relevance, not engagement volume.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed, 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity weaknesses can compound once exposure starts.
A question worth separating out:
Q: Who should own phishing simulation reporting in an identity programme?
A: Ownership should sit jointly with security awareness, IAM, and risk leadership. Awareness teams manage the campaigns, IAM teams interpret the identity exposure, and risk leaders use the data for governance decisions. That split prevents the reporting from staying trapped in a training silo and makes it useful for account protection and board oversight.
👉 Read our full editorial: Credential phishing simulations expose human risk beyond click rates
