Notifications
Clear all
Topic starter
27/06/2026 1:47 pm
TL;DR: Researchers from the University of Chicago and UC San Diego found most corporate training programs do little to reduce phishing risk, while Verizon’s 2025 DBIR links the human element to roughly 60% of breaches and Abnormal AI’s new scoring model shifts teams from click-rate proxies to behavioural measurement. The real assumption breaking here is that completion and click metrics can stand in for actual preparedness.
NHIMG editorial — based on content published by Abnormal AI: AI-powered human risk management and phishing risk scoring
By the numbers:
- The human element, including social engineering, error, or misuse, is involved in approximately 60% of breaches.
Questions worth separating out
Q: How should security teams measure phishing risk beyond click rates?
A: Use layered behavioural signals instead of a single click metric.
Q: Why do BEC and vendor fraud simulations matter for IAM programmes?
A: They test whether employees will act on a fraudulent request inside a real business workflow, which is where many identity and approval failures surface.
Q: What do security teams get wrong about phishing awareness training?
A: They often assume broad training completion equals reduced risk.
Practitioner guidance
- Replace binary phishing metrics Track opens, credential submission, reply behaviour, and tactic-specific susceptibility so security teams can see how risk changes by employee and by scenario.
- Build role-specific simulations Use manager, finance, procurement, and vendor-facing scenarios that reflect the actual requests those teams receive in daily operations.
- Prioritise follow-up by risk segment Focus coaching on cohorts with elevated behavioural risk instead of sending the same remediation content to the full workforce.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How AI Phishing Coach automates campaign management and tailors simulations to individual behavioural signals.
- How Phishing Risk Scoring breaks down simulation opens, credential submissions, and tactic-level susceptibility.
- How BEC and VEC simulations use PeopleBase and VendorBase relationship data to mimic real fraud workflows.
- How security teams can use the platform's dashboard and risk segmentation features in day-to-day training operations.
👉 Read Abnormal AI's analysis of AI-native human risk management and phishing scoring →
Phishing risk scoring and human risk management: what changes now?
Explore further
27/06/2026 3:14 pm
Click-rate training is a proxy that has outlived its governance value: Measuring phishing readiness by who clicked or completed a module was always a simplification, and it now obscures more than it reveals. The underlying assumption was that a narrow simulation outcome could represent operational resilience. That assumption breaks when adversaries use varied, context-aware social engineering that does not map cleanly to a single click event. The implication is that human-risk governance has to move from attendance metrics to behavioural evidence.
A few things that frame the scale:
- The human element, including social engineering, error, or misuse, is involved in approximately 60% of breaches, according to Verizon DBIR.
- That is why identity and awareness programmes cannot stop at completion metrics if the organisation wants measurable reduction in exposure.
A question worth separating out:
Q: How can organisations tell if human-risk management is working?
A: Look for downward trends in behavioural susceptibility, improved performance in realistic simulations, and better targeting of coaching to higher-risk groups. If the programme only reports attendance or click rates, it is measuring activity, not security improvement.
👉 Read our full editorial: Human risk management is replacing phishing click-rate proxies
