Overview
The Phishing Simulation Behavior factor measures how a user interacts with simulated phishing attacks. It captures risky actions (clicking links, submitting credentials, replying to phishing emails, scanning QR codes, etc.) as well as protective actions (such as reporting the simulation).
Click from the following to jump to your desired section:
- What the Score Means
- Phishing Simulation Campaign Actions
- AI Detected Behavior Trends
- Phishing Simulation Behavior Score Example
What the Score Means
Actions are scored by severity and recency. Recent, high-impact behaviors contribute more. Reporting reduces the score and reflects improving security awareness. This factor is a strong indicator of how a user may respond to real phishing threats, especially when busy or distracted.
However, it is important to note that at least 3 phishing tests should be performed before any weight is given to this factor, because failing the first phishing test will result in being automatically placed as high risk.
Below is a table of Risk levels for Phishing Simulation Behavior and the levels respective meaning:
| Score Range (Raw) | Risk Level | Meaning |
| 0 to 20 | Very Low | No or negligible interactions with phishing simulations. Excellent awareness. |
| 21 to 40 | Low | A few low-severity incidents (e.g., clicking a link but no further action). |
| 41 to 60 | Moderate | Consistently falls for phishing emails. |
| 61 to 80 | High | Several moderate to severe incidents, some recent. |
| 81 to 100 | Very High | Repeated and/or very recent severe behaviors, such as replying to phishing emails or submitting credentials. Immediate action needed. |
Phishing Simulation Campaign Actions
Each phishing simulation campaign contributes 40 possible points towards the Phishing Risk Score. Risky actions add points; reporting subtracts points.
Multiple risky behaviors within a single campaign can exceed 40 points, however (e.g., a click + a reply + credential submission would equate to a 60/40), which accelerates the score. Conversely, a passed campaign would add 0/40. Reporting during a campaign adds an additional finding that reduces the target's total risk points. The Phishing Risk Score, on its own, helps estimate how likely a target is to fall for a real phishing attack.
The calculation performed to attain the Phishing Risk Score is:
Phishing Risk Score = (TARP ÷ TAPP) * 100 (capped at 0 to 100)
Where:
- TARP = Total Adjusted Risk Points, and
- TAPP = Total Adjusted Possible Points.
The following is how the Findings, or behavior, is valued:
| Findings (Behavior) | Value |
| Clicked link | +20 |
| High-Impact behaviors: submitted credentials, downloaded attachment, scanned QR code, call-back request, replied to phishing email | +20 (each) |
| Reported simulation email | -10 |
AI Detected Behavior Trends
Beyond individual actions, AI analyzes patterns in phishing simulation behavior over time to detect emerging risk trends. This includes identifying whether risky interactions are becoming more frequent, sever, or clustered among certain types of simulations.
By surfacing these trends, the system can highlight users who are showing signs of increased vulnerability, even if their most recent behavior appears low-risk in isolation.
The following is how the Findings, or Trend, is valued:
| Findings (Trend) | Value |
| Multiple failures (3 in a row) | +25 to 50 |
| Improving trend (3 in a row) | -10 to -25 |
Phishing Simulation Behavior Score Example
Context: This target has had phishing simulations every 2 months for the past 8 months.
| Behavior | Value | Decay | Adjusted Value |
| Clicked link 8 months ago | 20/40 | 50% | 10/20 |
| Clicked and submitted information 6 months ago | 40/40 | 50% | 20/20 |
| Clicked link 4 months ago | 20/40 | 25% | 15/30 |
| Repeat Offender Penalty | +25 | 0% | +25 |
| Clicked link 2 months ago | 20/40 | 0% | 20/40 |
| Reported yesterday | -10 | 0% | -10 |
| Total Raw Score | 80/110 |
Phishing Risk Score of this target is calculated by:
(10 + 20 + 15 + 25 + 20 - 10) ÷ (20 + 20 + 30 + 40) * 100 = 72.73
And the Weighted contribution is calculated by:
72.73 * 0.40 = 29.09
Interpretation of Score: 72.73 (High Risk)
The target shows a consistent pattern of simulated phishing interaction, including multiple link clicks and a recent high-risk event (credential submission).
While they reported a phish recently, their overall risk profile suggests ongoing susceptibility.
Breakdown of What the Score Means
| Indicator | Interpretation |
| Clicked a link 8 months ago | Older event, but still contributes slightly to overall risk. May indicate a longer-term pattern. |
| Submitted credentials 6 months ago | High-risk behavior. This suggests deeper vulnerability beyond just link clicking. |
| Clicked a phishing link 4 months ago | Indicates a recurring pattern of risky behavior that has not been fully corrected. |
| Multiple interactions across time | Repeated risky actions show a sustained vulnerability to phishing. |
| Clicked a phishing link 2 months ago | Recent failure to recognize a phishing simulation suggests current susceptibility to threats. |
| Reported phishing yesterday | Positive behavior showing improved awareness and proactive reporting. This helps reduce overall risk slightly. |
Recommendation
Reinforce awareness with targeted training and possibly increase frequency of simulation testing.
Furthermore, the user appears to be making improvements. Continuing to monitor this trend will be of high importance.