KnowBe4 recently launched its Phishing by Industry Benchmarking Report 2025, which measures an organization’s Phish-prone Percentage (PPP) — the percentage of employees likely to fall for social engineering or phishing attacks. It can be an indicator of the organization’s overall susceptibility to phishing threats. This year’s report found a global average baseline PPP of 33.1 percent – meaning one-third of employees interact with phishing simulations before taking part in best-practice security awareness training (SAT).
The data underscores the significant impact of SAT in mitigating risk. The rapid decline in the global PPP following the implementation of training — falling by 40 percent in just three months and by a total of 86 percent after 12 months — demonstrates that ongoing, effective training leads to lasting behavior change and a substantial reduction in vulnerability to cybersecurity threats. This highlights the critical role of continuous education in building a stronger security culture within organizations.
KnowBe4 analyzed 67.7 million phishing simulations across 14.5 million users from over 60,000 organizations. The baseline PPP (33.1 percent) reflects an organization’s susceptibility to phishing before any KnowBe4 training. Employees then undergo KnowBe4’s SAT, and the PPP is recalculated after 90 days and again after one year-plus of ongoing training to quantify the program’s effectiveness.
The report also found that larger organizations faced a higher initial phishing risk, with those having 10,000+ employees showing a global baseline PPP of 40.5 percent, compared to 24.6 percent for organizations with 1-250 employees.
“The data speaks for itself — security awareness training truly makes a difference,” said Stu Sjouwerman, CEO of KnowBe4. “From 2024 to 2025, the general trend has remained fairly consistent — around one-third of employees click on a simulated phishing link before taking part in training. However … within a year, we’ve seen a 3.5 percent decrease in the global baseline PPP, highlighting a positive shift in overall security awareness worldwide. However, there is still significant progress to be made in fully addressing phishing risks.”
A copy of the report is available by clicking here.