A Guide to Establishing a Powerful SAT Baseline

The human element remains the most targeted and vulnerable link in the security chain. Effective security awareness trainings (SAT) are essential to fortify this front and simulated phishing campaigns are currently its most powerful tool. The campaigns provide real‑world relevance, immediate feedback, measurable metrics and help to influence behavioural change.

These controlled exercises go beyond simple training because they provide realistic and hands-on experience in identifying and resisting malicious emails. Simulated phishing campaigns are indeed the most effective lever but they work best when they are part of a broader and layered awareness program. The end goal is to transform employees from potential targets into a resilient human firewall.

Before diving into the campaign setup, it is critical to tailor SAT campaigns that are linked to the employee tools and habits because compliance requirements and generic campaigns do not produce secure behaviours. And it is the same with corporate policies that are quite disconnected from daily work. It is context-aware campaign and knowing the workforce that translate into more secure behaviour. 

Security awareness must be useful to both the end-user and the security team and not treated as a necessary evil. Security isn’t a separate activity but an integral part of everyone’s job. A shared responsibility. In this post, we focus on crafting the perfect baseline for preparing effective phishing simulations. 

The business goal, executive sponsorship, legal, budgeting or the procurement of the right simulation platform are not considered here. Same for the next SAT phases (e.g., designing realistic phishing templates, implementing a “Report-Phish” button, a reward system etc.).

Phase 1: Strategy & Planning (Building an Effective, Crude Baseline)

With the new onboarded SaaS or on premise simulation tool, the primary step is to conduct a pre‑campaign phishing test (e.g., a simple credential‑harvest email) once leadership has announced the new SAT program. This is a crucial beginning. If carried out properly, it is “almost” half the work done. It can also help to roll out a short introductory training module at the same time but this is not mandatory.

The controlled phishing test can be mixed with a slightly more sophisticated lure (e.g., a fake invoice or a compromised‑account notification). The important is to mimic a real situation. A single and overly simplistic payload can underestimate risk while varied vectors may highlight different weaknesses.

It is perfectly fine to treat all departments identically during the controlled benchmark but let’s not forget that one may miss opportunities to address role‑specific threats (e.g., the finance team targeted with invoice scams). 

The one‑size‑fits‑all messaging approach is not at all ideal in SAT campaigns and must therefore be avoided during real campaigns. For the sake of the baseline though, treating all departments identically is a practical necessity to get a clean and comparable assessment.

The phishing test will help to capture baseline metrics such as these important behavioral employee indicators:

1. Click‑through rate (CTR: % of employees who clicked on a link within a simulated phishing email), 
2. Credential submission, 
3. Time‑to‑click (the time elapsed between a phishing simulation email being delivered to a user’s inbox and that user clicking the link within it),
4. Time‑to‑report (the time elapsed between a phishing simulation email being delivered to a user’s inbox and that user reporting it through an official “Report Phishing” button usually integrated into their email client like Outlook or Gmail),
5. Report rates per department (% of employees who recognize a phishing attempt and report it to the appropriate authority within the organization),
6. Post‑click behavior (e.g., whether the user entered credentials before reporting),
7. Level of user engagement during this test phase (% of employees who opened the phishing email compared to the total number of emails sent). This indicates initial interest or curiosity and must be considered to have a first view of the organization’s security posture,
8. Click patterns if applicable (analysis of which links were clicked within the phishing email). This helps to identify specific vulnerabilities or areas of concern,
9. Initial user feedback are other data that can be integrated in future SAT strategies.

The phishing test must also include these important non behavioral indicators:

1. Device type (information on the types of devices used to access emails (e.g., desktop, mobile, tablet)),
2. Geographic distribution,
3. Training history (if any): Records of previous security training sessions attended by employees,
4. Incident history: Records of past security incidents or breaches that may impact employee awareness and behavior,
5. Engagement with security communications: Response rates to security alerts and communications from the IT department (if applicable).

These expanded and fine‑grained signals highlight not just whether someone fell for the lure but how quickly they reacted. This is critical for measuring awareness depth. Another direct advantage of establishing a baseline is that quantifiable results can be persuasive when one need executive sponsorship or budget approval for the broader program.

It can definitely help to run the baseline assessment over at least one business week (preferably two) to smooth out day‑of‑week effects. This is because click rates can spike on certain days (e.g., Monday inbox overload) and dip on others.

Once completed, communicate directly about the test and direct failures to a short and positive educational resource. Also one can deliver a contextual tip (e.g., notice the mismatched sender domain?) to instantly improve learning retention compared to a delayed debrief.

This preliminary test data will be used for tailoring training efforts, segmenting the corporate audience and setting realistic targets (e.g., our overall click rate was 30%. Let’s aim for 20% after the next training round has been completed in two months). 

Phase 2: Segment Your Workforce & Tailor Content

Once the baseline benchmarks are established and all relevant metrics have been collected, the next step involves segmenting the workforce and tailoring content. 

For the sake of comparaison, the workforce is first segmented by department groups. This step is necessary for establishing the initial baseline.

Step 1: Initial segmentation by department groups with default training content:

• For Finance & The C-Suite (highest‑ranking executive officers), the content can be a high-fidelity Business Email Compromise (BEC). For example, a meticulously crafted email mimicking the CEO, CFO or a trusted vendor requesting an urgent wire transfer or invoice payment. The goal is to train these critical targets to ALWAYS verify financial requests through a secondary channel as a non-negotiable habit (e.g., with a phone call or by asking a colleague).
• For HR & Recruiting teams, the content also has to suit their specific risks. Appropriate scenarios can include a fake job applicant’s resume with a link to their malicious portfolio (e.g., from a fake LinkedIn profile) or a complaint from a fake employee alleging misconduct (and with a malicious attachment). The goal is to teach HR & recruiting to handle unsolicited attachments and links with extreme caution even from seemingly plausible sources.
• For Engineering/SysAdmin/Data teams, the training difficulty must be higher. In their case, use their tools and jargon against them. It can be a fake security alert from GitLab, Kubernetes, Jira or Docker about a critical vulnerability or a failed login attempt requiring immediate action. Since these teams hold privileged credentials that attackers will want to seize, the test should focus on credentials harvesting (e.g., root, service‑account keys or database admin passwords). Here the goal is to test their vigilance even when the communication appears to come from a critical and trusted internal system.
• For Sales & Customer‑service teams who act as the primary custodians of client information, the messaging content should aim to retrieve or “verify” customer records. These teams often have access to CRM systems (e.g., Salesforce, HubSpot, Zoho, Ms Dynamics 365..) and are trained to be helpful and responsive. Swift response targets can cause agents to overlook subtle red flags and this makes them vulnerable to social engineering. Plus plugins for Outlook, Slack or customer support ticketing systems like Zendesk increase their attack surface. Examples can be a message from an eager “prospect” pushing for a quarter-end deal or a frustrated “customer” demanding immediate technical support.
• For Project & Product Managers, they possess valuable roadmaps, strategic plans, they have high levels of access to project management tools (e.g., Jira, Confluence, etc.) and communicate constantly with internal teams and external partners/contractors. This also create a large attack surface. An email crafted to look like it is from a known contractor or a senior executive will be a fitting content start. The email should reference a real project by its internal codename and push to review the latest product requirements for instance. The goal is to test the teams ability to verify requests for sensitive intellectual property especially when the request leverages authority and urgency.
• For the Legal team, they also have access to sensitive information (e.g., mergers & acquisitions, litigation, intellectual property, employee data etc.) and they hold the authority to approve high-stakes actions. A viable scenario to test protocol bypassing can be a targeted email to the General Counsel or a senior lawyer spoofed to look like it comes from the CEO. The goal is to test their ability to verify unusual and sensitive requests from authority figures even when they appear legitimate.
• For the rest of the workforce, move beyond generic package delivery scams. Companies rely on official channels such as Teams or Slack for broad communications so it is crucial to limit cross‑department and internal messaging as much as possible. An ideal scenario can include a fake internal communication about a new holiday policy, a mandatory HR survey requiring login or a new mandatory LMS training (Learning Management System). The goal is to test the staff ability to spot subtle discrepancies in internal communications.

Once the SOC team collected the result for each departments, it can pinpoint the specific behavior risk profiles and establish a second and more refined baseline for targeted interventions. So the company workforce is segmented by behavioral risk profile and job function to develop threat narratives that reflect the specific workflows and pressures on different departments or roles.

This is a data-driven approach and an industry best-practice to build a mature SAT program. One move from a compliance-focused or check-the-box program to a true risk-reducing and behavior-changing security culture. To sum up, start simple, get sophisticated and intervene precisely in the end.

Remember that the core idea of the whole baseline is to stop viewing security training as a mere content delivery system but rather translate it into a behavior change system. The goal is not to make users pass a test. It is to make secure behavior the default and natural choice. 

Image by Proofpoint.

As seen, the classical way was to segment by department (e.g., Finance, HR, IT etc.) while a better way is to segment by behavioral risk profile and job function. Below is a systematic method for segmenting and customizing the training material for each behavioral group.

Step 2: Segmenting by behavioral role profile and job function

• The Impulsive Clickers identified via fast Time-to-click metrics. This concerns people with habitual and automatic behavior. They need training focused on interrupting their autopilot mode and building a “pause and assess” habit.
• The Hesitant Reporters might close the phishing tab but not report it. To do so, they need to build confidence and agency. Thus training must emphasize that reporting is encouraged, easy and valued even if it is a false alarm.
• The High-Value Targets (HVTs) like the executives, their assistants, the finance department members and IT admins. They are targeted with highly personalized attacks (spear phishing, whaling, BEC). Their training must tend to hyper-realistism and be scenario-specific (e.g., fake wire transfer requests or fake vendor invoices).
• The Security Champions are the fast Time‑to‑report users. It is better to not waste their time with basic training but empowering them. Give them advanced training modules, involve them in beta testing new simulations and use them as positive peer influencers in their teams. These people generally include Engineering (e.g., DevOps, software development), IT Operations & SysAdmin or Data & Analytics Teams. Those less inclined to serve as security champions tend to be members of Product Management and Project Leadership, customer‑facing groups such as Support, Sales Engineering and Customer Success as well as the Legal department.
• The Compliant Yet Unaware will passes tests but fails simulations. They may memorize answers for tests without absorbing the underlying critical thinking skills or they see security training as a compliance task to be completed and not a skillset to be internalized. For example, employees in highly regulated industries or large enterprises often have mandatory or compliance-driven training mandates and they tend to not genuinely learning the material but completing the training to check the box and avoid being flagged by HR or their management. This reveals a gap between theoretical knowledge and practical application. Thus their training needs to focus on bridging the theory-practice gap. In that case, use interactive and immersive learning (e.g., video-based scenarios) with branching choices (e.g., what would you do next?) instead of passive slides and quizzes for instance.
• The Overconfident may have a low click rate on simple tests but can be caught by sophisticated lures that appeal to their expertise (e.g., a fake alert for a system they manage). They believe they are “too smart to be phished” and may dismiss the training as being for “less savvy” employees. This confidence can be their biggest vulnerability so they need humbling experiences. Their phishing simulations must be highly advanced, technically accurate and specifically tailored to their tools (e.g., a fake GitHub security alert or a Jira outage notice).
• The Bystanders almost never click and almost never report. They represent a significant portion of the population that is often considered as low risk. Their primary security behavior is avoidance so they delete suspicious emails but do not take the proactive step of reporting them. Thus this passive behavior denies the SOC team valuable threat intelligence. The goal is to move them from passive to active participants. Consequently, training should focus on how one report can protect the entire organization. To do that, emphasize the ease of using the report button and ensure there is zero penalty for false positives. Another way is via gamification that can be very effective in their case (e.g., earning points for reports).
• The Repeat Offenders represent the highest-risk group. They consistently fall for simulations across multiple campaigns regardless of difficulty or topic. This behavior may stem from a fundamental lack of risk perception, cognitive overload or simply no will in engaging with the training material. This particular group requires one-on-one coaching because automated training is not enough and their manager should be alerted. A supportive conversation is needed to understand the root cause and is critical for mitigating the highest level of human risk.

Step 3: Tailor content by threat narrative (preferably not by topic)

Creating training modules or phishing simulations based on broad categories of threats (e.g., a module on ransomware, a phishing test about social media scams or a video on password security) will only teach the what a threat is in a theoretical sense, but not how it will specifically target end-users. 

Instead of relying on generic training modules and blanket phishing‑email simulations for the entire organization, it is more suitable to deploy threat narratives that mirror the daily workflows and pressures of each segmented audience. 

A threat narrative is a contextual story designed for a specific group and used to see whether the targeted users break a particular security rule in a realistic scenario. 

Let’s explore examples for three behavioral risk profiles:

1. A threat narrative for the Impulsive Clickers. As hinted, this category need training focused on building a “pause and assess” habit. A scenario with an urgent request from a high-authority internal sender will lure them to click on the malicious link.

Sender Name: IT Support Desk

Subject Line: Action Required: Update Your Profile Settings by EOD

Email Body:

“Hi everyone, 
As part of our ongoing security enhancement, we are requiring all employees to review and confirm their profile settings (including contact and emergency info) in the employee portal by 5:00 PM today.
This is mandatory to ensure our records are up-to-date for the new system migration.
** Click here to go to the portal and review your settings now **
[MALICIOUS LINK]
Thank you,
The IT Service Desk”

This email works for the Impulsive Clickers category because of:

• Urgency: A same-day deadline creates pressure to act quickly and bypass critical thought.
• Authority: Impersonating a central, trusted and internal team like IT Support Desk improves legitimacy.
• Familiarity: Tasks like updating employee profiles are fairly common and non-threatening so reducing their suspicion.
• Blandness: The email is boringly administrative because there is no reward or shocking news. It is just a routine task which people often click through on autopilot.
• Broad Targeting: It is relevant to absolutely everyone in the company thus making it perfect for catching impulsive behavior across all departments.

The moment after the click on the malicious link is where the real training happens for this group. In their case, the landing page should immediately deliver the lesson. The user should see a friendly and large banner stating: 

“This was a simulated phishing test. 

You just demonstrated an impulsive click.

Why this is a problem: In a real attack, that link could have led to malware or a credential-stealing page. Your habit of clicking quickly on urgent tasks is what attackers rely on.

How to improve: Get into the H.A.B.I.T.

• Hover over links to see the real URL before clicking.
• Ask yourself “Was I expecting this email?”
• Be wary of urgency and pressure.
• Inspect the sender’s email address carefully.
• Think before you click and take a breath.

[ Continue to a 60-second video recap ]”

For this group, the habit change will take time but the real initial success is defined by an inflexion in two key behavioral metrics:

• The increase in their average time-to-click on subsequent simulations will be an evidence of positive lesson learned change. Even if they still click, taking 30 seconds (instead of 5) indicates they are pausing and assessing which is a major win. 
• Over time, as the new habit solidifies, there should be an eventual decrease in their click-through rate (CTR, the % of employees who clicked on a link within a simulated phishing email).

By using this simple, urgent and familiar narrative and pairing it with an immediate and constructive feedback, the impulsive behavior can be directly targeted and corrected at the moment it occured.

2. A threat narrative for the High-Value Targets (HVTs) must be hyper-realistic, highly targeted and display authenticity. The goal is to simulate the exact type of attack they would actually face; either a sophisticated spear-phishing or a whaling campaign. A scenario is for example a multi-email thread spoofing the CEO ‘and potentially another high-level executive) with a discussion trail about a confidential and time-sensitive financial transaction.

“Sender Name: Spoofed to mimic the CEO’s name (e.g., [John Milton]).

Subject Line: Urgent: Acquisition Wire — Confidential

Email Body:

From: [Spoofed CEO’s Name] <[[email protected]rn]>
To: [CFO/Controller Name], [Head of Legal Name]<[[email protected]]>
Cc: [HVT’s Name]<[[email protected]]>

Team,

I’m currently in the final meeting with the Azog Law Firm regarding the Zorglub Company acquisition. We’ve hit a snag and need to secure the exclusivity agreement with a wire transfer today or we risk losing the deal.

Jonathan, I need you to prioritize this above all else. The amount is $187,500. 

Pay attention that the beneficiary details have changed so use the attached PDF for the new account information. The previous bank had a routing issue.

This is time-sensitive and confidential. Do not discuss outside of this thread.

Confirm to me directly via text once initiated.

John Milton

[Attachment: professionally crafted “Updated Banking Details.pdf”]”

This email has positive chances to work for the HVTs category because of:

• Authority & Pressure: Direct and urgent orders from the highest authority figure in the company.
• Confidentiality: Instructions not to discuss it will create isolation and prevent verification.
• Contextual plausibility: References real entities (e.g., a law firm with the actual company name), realistic amounts and a plausible business scenario (e.g., M&A).
• Multi-layered lure: Combines spoofing, urgency, a malicious attachment and a request to bypass normal wiring transfer procedures.
• Personalization: The HVT is named directly and given a specific and critical task aligned with their role.

If the targeted user takes the bait, the training must be immediate and powerful. 

So if they opened the attachment, the PDF should contain a clear message:

[SECURITY SIMULATION]
You’ve just bypassed a critical control.

Why this is critical: In a real attack, this file could have deployed a malware. You were targeted because of your role and authority in the company. Always verify unexpected payment requests through a secondary channel (e.g., a known phone number or a colleage) before acting.

If they reply to the email, an auto-response could trigger this message:

Simulated Exercise: This email originated from a security training simulation. You engaged with a highly realistic whaling attempt. Please contact the security team immediately for a briefing.

If they report the email, this is the desired outcome so the response should be:

Excellent catch. This was a simulated high-target attack. Thank you for your extreme vigilance. You have successfully protected company assets.

To measure success for this intervention, one should monitor these values:

• The primary metric is the report rate. The desired outcome is that the HVT reports the email to the security team for verification.
• The critical metric is the verification attempts. Did the user attempt to verify the request via a phone call or other channels before acting? This key metric can be measured through follow-up surveys, cross-checks or interviews).
• The additional indicator is the Click/Open rate without reporting (or the report rates per department). A failure here indicates a critical need for immediate and one-on-one coaching.

This threat narrative moves far beyond a prosaic “don’t click bad links” approach. It tests the core security behaviors of HVTs: skepticism of authority, adherence to financial controls and the courage to “never trust and always verify” even when under extreme pressure.

3. A threat narrative for the Repeat Offenders risk profile. Due to a deep-rooted behavior gap, this category consistently fail phishing simulations across multiple campaigns regardless of topic or difficulty. The narrative must be unavoidable, credible and directly relevant to every employee. It will use a “forced action” lure that requires them to consciously bypass a warning sign. A scenario can use a high-compliance and low-suspicion subject from HR requiring mandatory acknowledgment of a new company policy.

“Sender Name: Human Resources <[email protected]> (Spoofed to look legitimate)

Subject Line: Action Required: Mandatory Acknowledgement of Updated Hybrid Work Policy

Email Body: Dear Employee,

Please be advised that the updated Hybrid Work Policy is now in effect. As per management directive, all employees must review and acknowledge the policy by this Friday, 5PM.

This is a mandatory requirement for all staff. Failure to complete this may result in a delay of your ability to access remote working tools.

Please click here to review the policy and provide your electronic signature.
[MALICIOUS LINK]

Thank you,
Human Resources Department
+1 234 567 8910
The Acme Corporation
We Build Complex And Deliver Simple.”

This works for Repeat Offenders due to:

• High relevance: Every employee must comply with HR directives. No exception.
• High credibility: The request is boringly administrative and perfectly plausible.
• Mild consequence: The suggested consequence (here a delay accessing some remote tools) is believable and mildly inconvenient. It creates enough pressure to act but not so much as to cause panic and a call to IT Support for instance.
• Forced action: It requires a conscious action (here providing an electronic signature) making the click intentional.
• Simple lure: This test email is not overly complex which is ideal for testing the core issue: a habitual tendency to click on legitimate-looking internal requests.

The response to a click must be different from anything they have seen before. It cannot be a simple “you’ve been phished” page they can click away from. What they will see after clicking should be a “hard stop” landing page that cannot be immediately closed. It can be a full-screen and unclosable message with the company branding:

Acme Corp Security Intervention Required

Our records indicate you have repeatedly failed similar security tests.

To protect company data and your own personal information, you are now required to complete the following:

1. Mandatory Video Briefing: You must now watch a 3-minute video on the fundamentals of identifying phishing attempts.

2. Schedule a Security Meeting: Please click the button below to schedule a 15-minute, one-on-one meeting with a member of the Security Team to discuss your challenges and answer your questions.

[ Button: “Acknowledge and Schedule Meeting” ]

You may not close this browser tab until you have scheduled the meeting. Your manager has been notified of this requirement.

For this particular behavioral risk profile, success is not measured by a metric in the next phishing campaign but by the completion of the intervention itself.

• Primary metric: Completion rate of the mandatory security meeting. The goal is to have a supportive and non-punitive conversation to understand the root cause (e.g., is it training comprehension, workload pressure or a specific cognitive gap?).
• Secondary metric: Completion of the mandatory video before the mandatory security meeting.
• Long-term metric: A sustained reduction in failure rates over several subsequent campaigns indicating the intervention was effective. If there is no sustained reduction in failure rates after a significant intervention period (e.g., at least 2–3 SAT campaigns over 3-6 months), it means the initial intervention failed to address the root cause. This is a major red flag that requires escalating the issue from a training problem to a performance and risk management problem.

This approach moves beyond an automated system and treats the Repeat Offenders group as a critical risk that requires a human-centric resolution. The goal is to help them to finally break the failure cycle.

In essence, the whole baseline process matures from a broad but effective diagnostic (Phase 1) to a precise and targeted treatment plan (Phase 2). Phase 1 identifies the “sick” departments, and Phase 2 diagnoses the specific “illness” within each department to prescribe the right “medicine.” This two-stage approach ensures resources are allocated efficiently to where they will have the greatest impact on strengthening the organization’s human firewall.

Bottom line

Launching an effective security‑awareness program requires realistic and targeted phishing simulations paired with immediate feedback, simple reporting options and ongoing measurement.

A SAT program starts with a multi-faceted baseline assessment to establish an understanding of the workforce’s security habits across different departments and risk profiles. It moves past guesswork, delivers a data‑driven view of the organization’s overall security stance and exposes vulnerability patterns across departments and individual behavior.

The collection of benchmarks give the SOC team valuable insight for setting achievable objectives and directing interventions. SAT baselines come in combinaison with deploying the right tools, customizing content and rewarding positive actions so that companies can meaningfully decrease the chance that a genuine attack shall succeed. Ultimately, this process is designed to systematically and measurably reduce corporate phishing risk.

About Me

I am a Blue Team SecOps analyst in the FinTech insurance sector. My focus is on safeguarding sensitive assets by applying threat-informed defense strategies and ensuring strict adherence to industry standards (e.g., ISO 27001, ISO27701, NIST).