Phishing Training Concept: 4 Quarterly Modules + Simulations
TL;DR
- Industry baseline 2025: 22% click rate on first simulation (KnowBe4 benchmarks)
- After 6 months of consistent training: 8-12% click rate
- After 12 months: 4-6% is a realistic top-quartile outcome
- Works council involvement is mandatory in Germany under Section 87(1) no. 6 BetrVG
- EU-hosted vendors: SoSafe (DE), Hoxhunt (FI), Cyberday (FI), Lucy Security (CH)
1. Q1: Foundations + first simulation
30-minute module: what is phishing, examples, red flags. Then run Simulation 1 (basic phishing) to establish a click-rate baseline. Communicate the program to staff in advance to set expectations.
2. Q2: Spear phishing and whaling
30-minute module on targeted attacks: CEO fraud, invoice manipulation, supplier-impersonation. Simulation 2 at medium difficulty.
3. Q3: Voice phishing and smishing
30-minute module on phone-based fraud, SMS phishing, MFA-bypass attempts. Simulation 3 with a voice component (or callback link).
4. Q4: AI phishing and deepfakes
30-minute module on AI-generated phishing emails, voice cloning, and deepfake video. Simulation 4 with AI-generated content. This is the fastest-growing risk vector for 2026.
5. Vendor comparison
| Vendor | Origin | Pricing per employee/year |
|---|---|---|
| SoSafe | Germany (EU) | EUR 8-15 |
| Hoxhunt | Finland (EU) | EUR 10-18 |
| KnowBe4 | USA (DPF) | EUR 12-20 |
| Lucy Security | Switzerland | EUR 9-16 |
For 100 employees, expect EUR 800-2,000 per year in tooling.
6. Works council and GDPR
In Germany, Section 87(1) no. 6 BetrVG requires works-council co-determination because phishing simulations are technical means capable of monitoring employee conduct. A works agreement should specify aggregation, anonymization, maximum number of tests per year, and zero linkage to performance reviews. Section 26 BDSG also applies for the personal-data side.
7. Escalation plan
Use anonymized analytics by default. For repeat clickers (typically 8-15% of staff): 1:1 coaching, not punishment. The most powerful "positive" metric is the count of phish-reports submitted via the email-client reporting button.
Summary
A quarterly phishing program with monthly simulations, run with a vendor like SoSafe and a clean works-council agreement, halves click rates within six months. Track click rates AND report rates - the latter is the better leading indicator of awareness.
Frequently Asked Questions
What click rate is considered 'good' in phishing simulations?
Industry median 2025: 22% click rate on the first test (KnowBe4 Phishing Industry Benchmarks Report 2025). After 6 months of consistent training: 8-12% click rate. After 12 months: 4-6% click rate is an achievable top goal. Top-performing companies achieve <2%. 'Repeat clickers' (multiple phishing clicks) are the main problem — typically 8-15% of the workforce. They require 1:1 coaching, but are not 'training failures' — usually stress and workload factors are involved. Mandatory training worsens the problem; positive coaching is more effective.
Do we have to involve the works council in phishing simulations?
Yes, mandatorily under Section 87 para. 1 no. 6 BetrVG (German Works Constitution Act) (technical devices for monitoring behavior/performance). Even if phishing tests are evaluated in aggregate, individual click rates are technically traceable — therefore subject to co-determination. In practice: a works agreement with an anonymization guarantee, maximum number of tests per year, no link to performance reviews. Data protection: Section 26 BDSG (German Federal Data Protection Act) requirement + information for employees. Without works council consent: test results are not usable, with possible AGG (German General Equal Treatment Act) claims in cases of sanctioned behavior.
Which phishing training provider is GDPR-compliant?
EU hosting providers: SoSafe (DE market leader, from EUR 8/employee/year), Hoxhunt (FI, EUR 10-18), Cyberday (FI), Lucy Security (CH). US providers with DPF: KnowBe4 (EUR 12-20), Proofpoint Security Awareness, Cofense. Recommendation for DACH SMEs: SoSafe due to GDPR-by-design, multi-language (DE+EN+FR+IT), and works-council-compliant anonymization. For ISO 27001-certified companies: KnowBe4 due to comprehensive reports. Costs for 100 employees: EUR 800-2,000/year.
How do you combine phishing tests with awareness training?
12-month program: Q1 onboarding training (45 min) + first simulation (baseline). Q2 spear phishing module (30 min) + simulation 2 (medium difficulty). Q3 voice phishing/smishing module (30 min) + simulation 3 (voice component). Q4 AI phishing/deepfake module (30 min) + simulation 4 (AI-generated). Monthly 'lessons learned' newsletter (5 min reading time). Expected reduction: 22% → 6-8% click rate in 12 months. Plus: a phishing reporting button in the email client as a 'positive' metric (number of reported phishing emails = awareness indicator).
Sources
- BSIG 2025 (Section 30(2)(7) training) (As of: 2026-05-02)
- Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
- German Federal Data Protection Act (Section 26 BDSG) (as of: ongoing)