KnowBe4’s 2023 Phishing By Industry Benchmarking Report Reveals that 33.2% of Untrained End Users Will Fail a Phishing Test

Blog-2023-Benchmarking-Report-CoverCybercriminals still know that the easiest way to successfully infiltrate an organization is through its people. 

While organizations continue evaluating and investing in their technology-based security layer, the human layer continues to be the most enticing and vulnerable attack vector. This marks the sixth consecutive year that KnowBe4 has analyzed hundreds of millions of data points in order to provide our annual Phishing by Industry Benchmark Report.

The report analyzes Phish-prone™ Percentage (PPP) across millions of individual users pulled from anonymized KnowBe4 customer data. The report illustrates how crucial it is for organizations to invest in their employees to increase their overall defense capabilities and strengthen their security culture. 

This year’s inclusion dataset spanned 19 industries and comprised over 12.5 million users across 35,600 organizations with over 32.1 million simulated phishing security tests. It also provides a thorough analysis across seven geographical regions: Africa, Asia, Australia/New Zealand, Europe, North America, South America and the United Kingdom/Ireland. 

Here’s what we found:

  • For 2023, the overall PPP baseline average across all industries and size organizations was 33.2%, meaning just less than a third of an organization’s employee base could be at risk of clicking on a phishing email prior to receiving training. 

  • However, only 18.5% of those same users will fail within 90 days of completing their first KnowBe4 training.

  • After at least a year on the KnowBe4 platform, only 5.4% of those users will fail a phishing test.

  • Organizations improved their susceptibility to phishing attacks by an average of 82% in one year by following our recommended approach.


Organizations remain vulnerable to cyber attacks because their employees do not have the right level of knowledge and vigilance to detect and report a potential attack. This extends beyond training. At its core, building a resilient security culture will help sustain the right behaviors. Additionally, employees will better understand and embrace their respective roles to not only protect and defend their professional environments, but their personal ones.

The purpose of the Phishing by Industry Benchmarking Report is to analyze and understand the impact of a new-school security awareness approach on an organization’s susceptibility to phishing or social engineering attacks. To do this, we analyze data from three phases:

  • Phase One: If you haven’t trained your users and you send a phishing attack, what is the initial resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test. From that established set of users, we look at any time a user has failed a simulated phishing security test prior to having completed any training.

  • Phase Two: What is the resulting PPP after users complete training and receive simulated phishing security tests within 90 days after training? We answered this question by finding when users completed their first training event and looking for all simulated phishing security events up to 90 days after that training was completed.

  • Phase Three: What is the final resulting PPP after users take ongoing training and monthly simulated phishing tests? To answer this, we measured security awareness skills after 12 months or more of ongoing training and simulated phishing security tests, looked for users who completed training at least one year ago, and took the performance results on their very last phishing test.

Why this is important:

Among the thousands of clients I engaged with during my time leading the security awareness and training space at Gartner, there was one thing that consistently astounded me: how little most organizations were doing to improve the readiness of their human defense layer

Most organizations view training as something they have to do (checking the box) rather than something that will help drive a more secure culture in which every employee understands the importance and responsibility of being more security-aware in their professional and personal lives. 

You can’t turn focus on the human element on and off like a light switch. Only a comprehensive and ongoing program (yep, there is no end), will change behaviors; breaking old bad habits and developing new and more secure ones.

A few things to keep in mind…

  • It’s essential to foster a resilient security cultureSecurity culture, as defined by KnowBe4, is the ideas, customs and social behaviors of an organization that influence their security. All employees should understand what their role and responsibility is to protect the organization and themselves from being vulnerable to a cyberattack.
  • Increase the frequency of your security awareness training while decreasing the time invested. A regular, consistent cadence is required in order to drive substantial and sustainable behavior change.
  • Frequent simulated phishing campaigns are a key component of your overall security awareness program. Regularly testing employees will increase your employee’s resilience to being compromised and keep their phish-spotting skills sharp.
  • Work with experts. Security awareness content is like no other and should be designed by experts who understand the behavior changes required to create an effective human defense layer, while also providing an engaging learning experience. Don’t get caught in a cycle of boring, ineffective, unappealing content.

After all, KnowBe4 is not the market leader in this space by chance. We are the market leader because we have the data and have conducted the research to demonstrate the importance of the human layer. We also have the only tried-and-true program to help your organization build a more security-aware and prepared culture.

Get Access to the Report Now!

Download Report

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews