Picture this: your finance lead picks up a call from a cloned voice pretending to be a supplier. It's polished enough that she nearly approves a six-figure transfer. But instead, three minutes later, she forwards the voicemail to IT: "This felt wrong. Can you check?"

That isn't a failure. That's the system working.

And yet, most security training programmes don't measure that moment - the reporting. They obsess over click rates, run "gotcha" tests, and shame staff for falling for bait that no real attacker would ever use. The result? Employees stay quiet when something feels off. Which is exactly how a nuisance turns into a breach.

Why clicks don't matter (and speed does)

1. Click rates are the wrong signal. A phishing campaign showing 2% click-through tells you nothing about whether finance would flag a fraudulent invoice or HR would escalate a fake CV.

   
   

2. Shame kills reporting. If staff think they'll be punished, they won't raise a hand. Silence is how an attack lingers.

   
   

3. Auditors and insurers care about response, not "gotchas." Whether you're aligning with ISO 27001, preparing for an FCA review, or renewing cyber insurance, what matters is proof of detection and escalation.Systemizing Early Processes

What to measure instead

Think of your team as a distributed sensor network. The point isn't perfection - it's signal strength and speed.

• Report speed. How long from suspicious contact to escalation? In strong cultures: under 15 minutes.

  
  

• Report quality. Did staff capture enough context for security to act?

  
  

• Role-specific reporting. Finance should flag invoice fraud. HR should flag CV scams. Vendor managers should flag supplier impersonation.

  
  

• Cross-channel joins. Did someone link a dodgy text to a matching email?

These are the metrics that show your people are active sensors, not silent bystanders.

Building reporting into the system

There's a few essential processes you can build in from today, that will make life easier:

1. Make it easy. One-click forwarding, a "report" button, or a hotline.

2. Respond fast. Acknowledge within minutes. Feedback keeps confidence alive.

3. Reward, don't punish. Thank the person who raised the flag - publicly.

4. Log everything. Timestamps, classifications, outcomes. That's your audit trail.

The compliance connections

This isn't just about active defence and detection, it's about keeping regulators and insurers happy:

• Scaling tech companies: ISO 27001 requires you to measure awareness effectiveness (Annex A.7.2.2). Insurers increasingly ask for evidence of detection, not just generic training.

• Fintechs: The FCA and PRA expect you to show operational resilience through detection and escalation. Evidence of reporting culture is key.

• EU operations: DORA Article 17 and NIS2 Article 23 both require systematic, role-appropriate testing and training. Reporting metrics are the evidence.

The bottom line

Your people aren't the weakest link. They're your early warning system. But only if you stop treating them like culprits and start measuring them like sensors.

The next compliance review won't be impressed with your "phish click rate." They'll be impressed if you can show that when something feels wrong, your people report it - fast, with detail, and with proof.

That's the behaviour that stops attacks and satisfies auditors.

Ready to flip your phishing programme on its head? We can help you measure what matters: report-rate, not shame.