People still click: what our cohort data says about human cyber-risk
Across the 4walls client base, thousands of cyber eLearning modules have been completed with an average score near 87%—yet phishing simulations still show recurring link clicks and occasional credential submissions every month. The pattern is consistent: knowledge is generally strong, but in-the-moment judgement under time pressure still fails. It also tracks with your training data: the lowest course score is “Phishing” (~78%), precisely where real-world mistakes occur.
This isn’t unique to our cohort. Major studies keep finding that the human element—social engineering, error, credential misuse—drives a large share of breaches. Verizon’s 2025 DBIR places human involvement at ~60% of confirmed breaches and highlights social engineering alongside credential abuse as persistent drivers. OITS IBM likewise reports compromised credentials and phishing as leading initial access vectors year after year. cybersecuritydive.com Threat intel also shows a shift toward URL-led lures (across email, SMS and QR) over classic attachment malware, which aligns with what we observe in simulations. IT Pro And CISA’s guidance still frames phishing as “phase one” in many attacks: if you blunt that step, you break the kill chain. CISA
What this means for boards and executives
- Set clear ownership. Name who is accountable for cyber risk at exec level, and what success looks like this year.
- Adopt a framework and stick to it. Choose a recognised standard (Essential Eight / CIS / NIST CSF), set targets, review progress quarterly.
- Keep the training cadence. Treat training and simulations as culture, not compliance. Managers should reinforce it in team rhythms.
- Ask for plain-English reporting. Five-minute board packs: trends in reporting vs clicking, time-to-report, confirmed incidents.
- Verify, don’t outsource judgement. Engage directly with security leadership and seek periodic independent challenge.
- Rehearse the bad day. Tabletop exercises clarify roles, decisions, and comms before—not during—an incident.
- Tie incentives to behaviour. Make a small set of cyber KPIs visible and link them to leadership performance.
- Manage third-party exposure. Expect your vendors to meet the same standards you set internally.
- Fund to the risk. Budget follows the framework priorities and the risk picture, not tools with good brochures.
How 4walls helps
Your 4walls dashboard already unifies simulation outcomes, eLearning scores, and policy posture in one view. We’re tuning simulations toward URL-based, multi-channel lures and using cohort data to trigger targeted micro-coaching for repeat clickers and high-risk roles. The goal isn’t zero clicks; it’s fast reporting, low consequence, and measured improvement quarter by quarter.
Next step: if you want a cohort benchmark (report-to-click ratio, time-to-report, compromise rate) and a 90-day improvement plan, reach out and we’ll map it with you.
Sources: Verizon DBIR 2025; IBM Cost of a Data Breach; Proofpoint threat trends; CISA phishing guidance.
