Re: What's the metric?
The security team member that clicked and tried to enter their credentials should be either reassigned or dismissed. They clearly should not be on the security team!!!
We just started using an outside service for testing for phishing. I sent out the first wave of emails without letting anyone know ahead of time. Even senior management wasn't informed. Frankly, I wanted to know if they would click through?
Fortunately, our CEO very much values efforts to keep us secure, and he has a good sense of humor (and a lot of humility). If he would have fallen for it, we could have just had a big laugh about it. When I told him about the test (a few days later), his response was "good job!, oh crap I didn't open it did I?" No one from senior management fell for the test. That is a very good thing.
I did get a good butt chewing from a couple of managers during the test for not sending out a company-wide email warning everyone about the phishing attempt. This would have of course ruined the test. They understood later when everything was explained, and some apologized.
Out of 45 people, I had 2 open and click the link. No one tried to enter credentials. As people mentioned above, what does this data mean? It's good news, I think? The two people that did click have openly admitted it to everyone, and thus been humorously embarrassed internally. I wasn't going to name names, just speak to them personally. They outed themselves!
Overall, I think it was a successful educational moment. I was very happy that so many people called or emailed me asking about this suspicious email.
What I wasn't mentally prepared for was how to answer the questions like "what should I do?" or "does this email look suspicious?" The fact that the user called me to ask, I considered that a success. What I didn't think through was the effect of, if I told someone that "yes, that does look suspicious, don't open it" they would warn other users. How many of the other users might have clicked through if they didn't get warned ahead of time from other users?
Bruce