As security leaders we develop security and awareness training surrounding phishing; however, we are told we can only expect to get down to a 3% click rate. 3% is not low enough and I am looking for ideas on how to drive down the click rate to 1% or less. Has anyone had great success with a technique they have used to drive down the click rate?

Define user awareness training requirements in the new hire documentation and amend the Acceptable Use policies to reflect the organization's support. Align your policies around the goal of 100% participation (mandatory), and identify and enforce consequences for multiple or repetitive failures. This sounds severe, but this is your environment and your data you are trying to protect. Awareness training is effective but people are the weakest link in our security landscape. Some employees respond better to financial motivation and will think before they click.

You can only raise awareness so far and you quickly reach the point of diminishing return. To further close the gap you need to offer incentives such as recognitions, badges, prizes, etc. 

Trying to get to 1% or below, depending on the size of the population is quite the challenge. I certainly haven't achieved that in my organization (a university) but we do have a couple of strategies which have driven the click-through down.

First, we have a positive incentive which has worked surprisingly well. We award a small digital yearly 'defender' badge (with the year included) to those who don't fail a test. Folks are adding it to their email signatures and friendly competition has happened organically.

The other strategy is bit experimental: If you have an internal 'chat' client, we're emphasizing internal collaboration happen there instead of via email. This has the collective effect of making typical phishing emails spoofing a local employee a little more noticeable. This way you reduce the scope of people to those who would be most likely to receive external emails. 

It's all about raising the awareness. Two things you can do, 1) do a tricky phishing test that drive up the failure rate to 30%, then everyone will understand they are not good enough. 2) Besides focusing on the failure rate, try marking the report rate. Saw a phishing email and reporting raised the awareness to another level.

We should not be looking at just reducing the click rate beyond a specific %, but to make simulations as good as the real phishing we see out there with increased sophistication, specifically tailored for individuals and coming from trusted accounts that were compromised. AI also makes creating good phishing easier for attackers. So the goal is to create a teachable moment for someone who clicks and provide proper after action (i.e. training, performance objective, etc). Creating specific policies and increasing the consequences after repeated clicks also helps.