Why click-through rates are misleading: Phishing Simulations vs. Security Awareness Radar® (SAR)

The deceptive picture of the click-through rate

A brief real-world scenario illustrates the problem:

Tuesday morning, 10:00 a.m.: An employee is relaxed; his inbox is uncluttered. He recognizes a test email immediately.
‍Result: Click-through rate 0%—everything seems secure.

Friday afternoon, 4:30 p.m.: The same employee is under massive time pressure; a project is due. He receives a real, highly professional spear-phishing email. In the rush, he clicks.
‍Result: A catastrophic security incident.

The simulation created a false sense of security. While it measured behavior in the “lab”, it completely ignored underlying risk factors such as stress resilience or a lack of a reporting culture.

Why phishing simulations alone are not a reliable KPI

The click-through rate is a “soft” metric that is easy to manipulate. If you send simple lures, the numbers look great—but have your employees really learned anything from it?

• No “why”: The rate tells you that a click occurred, but not the cause. Wasit a lack of knowledge? Was it carelessness? Or is there a culture where security is dismissed as “an IT issue”?
• The silent majority: What about the 90% who don’t click but also don’t report the incident? Without an active reporting rate, your company remains blind to real attacks despite a low click-through rate.

The Security Awareness Radar® (SAR): the X-ray of your security

This is where the SAR comes in. Instead of just looking at the “clicking finger”, the radar delves deep into the foundation of your organization. Based on scientific models, it measures three critical dimensions:

1. Knowledge: Do employees have the necessary know-how to identify threats?
2. Attitude: Is security perceived as a valuable part of the job or as a burdensome obstacle?
3. Behavior & Norms: How is safety practiced within the team? Is it normal to ask questions when in doubt?

Phishing vs. SAR: a direct comparison

‍

Conclusion: measure what really matters

Phishing simulations are a useful training tool, but they are not a compass for your strategy. Only the Security Awareness Radar® provides the hard facts you need to allocate budgets efficiently and minimize human risks in the long term.

Make your security measurable

Put an end to guesswork about click-through rates. With TreeSolution’s Security Awareness Radar® (SAR), you get a crystal-clear analysis of your security culture.

Use our comprehensive awareness solutions to make your company secure not just on paper, but in daily practice.

‍