Thanks for your feedback everyone. It’s nice to know we are having similar experiences compared to other companies just starting to test their employees.
For those of you who said their goal is “0”…
While the security guy in me agrees 100%, the guy who’s been it I.T. for more than 20 years doesn’t think it’s realistic. The reason why is, we are all human. We see something shiny and we want it. We see a good deal, the new high definition TV, someone is going to click. Puppy pictures, common on… I am not saying we shouldn’t expect the most from our users but we do need to be real.
What is probably as important, if not more important, is what does that person do after they realize they have just been had? Do they immediately call the Help Desk? Do they try to hide the fact they got infected and limp along until their system doesn’t function anymore? Do they get ransomeware and then go on vacation without telling anyone until they return three weeks later? (Yes, this happened).
I think a realistic goal is 1% or less and the expectation is the training makes them realize how important it is to remedy the situation as quickly as possible when they do.