Its not the actual individuals - its the culture it creates, "HA! We caught you, you dumbass, here's 2hrs of training". This means people are afraid to report or take ownership over looking out for phishing as it creates no benefit for them, its just there to make the security team smug.
Having been part of and designed these campaigns before (with open source options like https://getgophish.com/), there is no way to report as phishing or reward users who detected but therefore didn't interact with it. This means in your example - did the other 81% just not open it, ignored it, or actively thought it was phishing? These are key metrics a company needs to know their potential attack surface.
Having been part of and designed these campaigns before (with open source options like https://getgophish.com/), there is no way to report as phishing or reward users who detected but therefore didn't interact with it. This means in your example - did the other 81% just not open it, ignored it, or actively thought it was phishing? These are key metrics a company needs to know their potential attack surface.