Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Awareness Glossary

Phishing-Simulation - Mitarbeiter realistisch testen und schulen

Phishing simulations send controlled, fake phishing emails to employees to measure and improve their detection rates. Metrics: Click-through rate (target: <5%), reporting rate (target: >60%), credential submission rate. Platforms: KnowBe4, Proofpoint Security Awareness, Hoxhunt, Lucy Security, SoSafe. GDPR-specific requirement: The works council must be involved; results may not be used to discipline individual employees.

Phishing simulations are the most effective way to strengthen the human factor—the channel through which over 90% of all initial breaches occur. However, poorly executed simulations demotivate employees and foster mistrust rather than awareness.

How phishing simulations work

The process of a professional phishing campaign:

1. Preparation:
   → Scope: all employees or high-risk groups?
   → Involve the works council (right to co-determination, §87 BetrVG!)
   → Baseline campaign: measure first, then train
   → Prepare email variants (3–5 different templates)
   → IT whitelist: Exclude phishing servers from spam filters!

2. Simulation (Level 1 – Beginner):
   Template examples:
   → "IT Department: Password is expiring – change it now"
   → "HR: Pay stub available – click here"
   → "Delivery service: Your package is waiting"

   Level 2 (Advanced):
   → Personalized spear-phishing emails
   → CEO fraud simulation ("From: John Doe, CEO")
   → Attachment-based (PDF with link)
   → QR code phishing (quishing)

3. Measurement – what happens:
   Tracking pixel: Was the email opened?
   Link click: Did the employee click the link?
   Credential entry: Did the employee enter login credentials?
   Reporting: Did the employee report the email?

4. Immediate training (teachable moment):
   → Anyone who clicks: immediately sees an informational page
   → "You clicked on a phishing simulation. Here are the warning signs..."
   → No shame! A learning experience.

5. Evaluation and actions:
   → Department-level reporting (NO individual naming!)
   → Targeted follow-up training for employees who clicked
   → Communicate successes: "Click-through rate reduced from 22% to 6%"

KPIs and Benchmarks

Metrics for a phishing campaign:

Core metrics:
  Phish-Prone Rate (PPR):
  → % of employees who click OR enter data
  → KnowBe4 industry benchmark:
    → Baseline (without training):     Ø 31.5%
    → After 90-day training:        Ø 16.4%
    → After 12 months of training:     Ø 4.6%
  → Goal: < 5% PPR

  Reporting Rate:
  → % of employees who report the phishing email
  → Good: > 30%, Very good: > 60%
  → Important: indicates an active security culture

  Time-to-Report:
  → How quickly is it reported?
  → < 5 minutes: excellent (SOC can respond quickly)

  Credential Submission Rate:
  → Of those who click: how many enter their credentials?
  → Most critical! (direct access possible)

Department Benchmarks:
  Typically higher click-through rates:
  → Finance/Accounting (BEC attacks!)
  → HR (job applications, pay stubs)
  → New employees (< 6 months)

  Typically lower click-through rates:
  → IT Security (know the tricks)
  → Compliance/Legal

Platform Comparison

Phishing Simulation Platforms:

KnowBe4 (Market Leader in the US):
  → 50,000+ phishing templates
  → PhishER: automated email reporting + triage
  → Security Awareness Training: 1,000+ courses
  → Modular system: Risk Score per employee
  → Price: starting at ~$25/user/year (tiered pricing based on size)
  → Languages: German available

Proofpoint Security Awareness:
  → Strong email security integration (Proofpoint Gateway)
  → Very Attacked People (VAP): Identify high-risk groups
  → Adaptive training: based on individual threat profile
  → Expensive, but good for Proofpoint customers

SoSafe (German, GDPR-native):
  → German company (Cologne)
  → GDPR-compliant by design
  → Gamification: Point system, badges
  → Very well-suited for German SMEs
  → Works council-friendly: Anonymized reports

Hoxhunt (Finland):
  → Gamified approach (no penalties!)
  → Adaptive difficulty level per employee
  → Focus on behavioral change, not knowledge transfer

Lucy Security (Switzerland):
  → On-premises option (important for KRITIS/government agencies!)
  → No data in the cloud
  → For: public administration, defense, healthcare
GDPR and Works Constitution Act:

Works council involvement (mandatory!):
  → §87 BetrVG: "Co-determination in monitoring"
  → Phishing simulation = performance monitoring of employees
  → Without a works agreement: impermissible!

Works council agreement must specify:
  1. Purpose: Security training (NOT performance monitoring)
  2. Anonymization: no individual results visible
  3. Reporting: only department/company level
  4. Data storage: how long is click data stored?
  5. Consequences: NO disciplinary measures
  6. Training link: Teachable Moment content

GDPR:
  → Legal basis: Art. 6(1)(f) (legitimate interest)
  → Data minimization: only click events, no detailed logs
  → Data subject rights: Employees may request access
  → Retention periods: Delete personal click data after 90 days

What is NOT permitted:
  × Publicly shaming individual employees (“name and shame”)
  × Issuing warnings solely based on a phishing click
  × Using results for promotion decisions
  × Collecting results without a data protection officer’s approval or consent

What is permitted:
  ✓ Anonymized departmental reports to management
  ✓ Targeted retraining for high-risk groups
  ✓ Aggregated metrics for ISO 27001 compliance documentation
  ✓ Documenting improvements over time (compliance)

AWARE7 Services on This Topic

Phishing-Simulation Schulungen
Back to Glossary Book a free consultation