Phishing Simulation Campaign Review

Documents a simulated phishing campaign's outcomes including click rates, report rates, and follow-up training completion for employees who failed the simulation.

Campaign Overview

• What was the name or identifier of this phishing simulation campaign?
  Enter the campaign name or ID as recorded in your phishing simulation platform (e.g., KnowBe4, Proofpoint, Cofense).
• What phishing template type was used in this campaign?
  Select the category that best describes the simulated phishing lure used.
• How would you rate the overall realism and difficulty of this simulation's phishing lure?
  1 = Very easy to detect (obvious phish), 5 = Very difficult to detect (highly convincing)
• What was the total number of employees targeted in this campaign?
  Enter the exact headcount of recipients included in the simulation send.
• Which departments or employee groups were included in this campaign?
  List all departments, business units, or role groups targeted (e.g., Finance, HR, All Staff, New Hires <90 days).

Simulation Results & Key Metrics

• What was the overall email open rate for this campaign? (%)
  Enter the percentage of targeted employees who opened the simulated phishing email.
• What was the overall click rate (link clicked or attachment opened) for this campaign? (%)
  Enter the percentage of targeted employees who clicked the malicious link or opened the simulated attachment — this is the primary failure metric.
• How would you rate the click rate outcome relative to your organization's acceptable risk threshold?
  1 = Far exceeds acceptable threshold (critical concern), 5 = Well within acceptable threshold (strong performance)
• What was the phishing report rate for this campaign? (%)
  Enter the percentage of targeted employees who correctly reported the simulated phish via your reporting mechanism (e.g., Phish Alert Button, IT helpdesk).
• How would you rate the report rate outcome relative to your security awareness program goals?
  1 = Far below program goals (needs significant improvement), 5 = Meets or exceeds program goals (strong reporting culture)
• Were there any departments or roles with notably higher-than-average click rates? If so, describe them.
  Identify any high-risk segments for targeted follow-up. Include department name and click rate if available.

Failure Analysis & Risk Assessment

• What was the total number of employees who failed this simulation (clicked or submitted credentials)?
  Enter the raw headcount of employees who failed, not just the percentage.
• How would you rate the overall security risk posed by the observed failure patterns in this campaign?
  1 = High risk (widespread failures, sensitive roles affected), 5 = Low risk (isolated failures, low-sensitivity roles)
• Were repeat failers identified (employees who also failed a previous simulation campaign)?
  Repeat failers represent an elevated risk profile and may require escalated intervention beyond standard remedial training.
• If repeat failers were identified, describe the escalation plan for these individuals.
  Examples: manager notification, mandatory 1:1 security coaching, HR involvement per policy, increased simulation frequency.
• What indicators of compromise (IOCs) or red flags were present in the simulation that failers missed?
  Document the specific phishing indicators employees should have recognized (e.g., spoofed sender domain, urgency language, mismatched URLs, unexpected attachment).

Remedial Training & Follow-Up

• Was immediate remedial training (landing page or auto-enrolled module) triggered for employees who failed?
  Best practice per NIST SP 800-50 and SANS Security Awareness guidelines is to deliver just-in-time training at the moment of failure.
• How would you rate the relevance and quality of the remedial training content delivered to failers?
  1 = Poorly matched to the simulation scenario (generic, unhelpful), 5 = Highly relevant and actionable (directly addresses the failure)
• What percentage of failers completed the assigned remedial training module? (%)
  Enter the completion rate for the follow-up training assigned to employees who failed the simulation.
• How would you rate the overall remedial training completion rate for this campaign?
  1 = Very low completion (significant follow-up required), 5 = Near-complete or full completion (strong compliance)
• Were any failers non-compliant with the remedial training deadline? If yes, describe the follow-up actions taken.
  Document escalation steps for non-compliant employees (e.g., manager notification, HR referral, access restriction per acceptable use policy).

Program Effectiveness & Continuous Improvement

• How does this campaign's click rate compare to the previous campaign's click rate for the same population?
  Trend direction is a key indicator of security awareness program ROI. A declining click rate over time signals program effectiveness.
• How would you rate the overall effectiveness of your organization's security awareness program based on this campaign's results?
  1 = Ineffective (no measurable improvement, high risk), 5 = Highly effective (consistent improvement, strong security culture)
• What changes to simulation design, targeting, or training content would you recommend for the next campaign?
  Consider: lure difficulty calibration, department-specific targeting, training content updates, reporting mechanism visibility, or cadence adjustments.
• Are there any additional observations, anomalies, or context from this campaign that should be documented?
  Use this space to capture anything not covered above — e.g., platform technical issues, unusual employee feedback, or external events that may have influenced results.