Not all employees pose equal risk, but repeat offenders put the whole organization at risk.
Every CISO has experienced this scenario: you run a phishing simulation, and most employees pass, some fail, and the same few fail again each quarter. They’re not careless, but they are consistent.
And consistent matters.
Following phishing defenses, your greatest area of risk may not always be the people who make one mistake. It may be the repeat offenders who fail simulated phishing exercises or even a phishing exercise that happened for real.
Knowing who they are, why they struggle, and how you can assist them can be the difference between isolated mistakes and a full-blown incident.
This is where the Repeat Offender Rate comes in, and why targeted remediation is better and cost-effective than generic security awareness training.
Phishing simulations are not about catching people off guard, but about growing awareness through experience.
But in time, most employees correct their behavior from repeated mistakes, in other words, become “the small percentage of repeat offenders.”
Repeat offenders are employees who fail phishing simulations despite multiple rounds of awareness training and phishing exercises.
Despite being a small part of your overall workforce, often representing less than 10%, they contribute a disproportionate level of human risk exposure.
Why is that? Because attackers only need to have a single person click once.
This is why finding and isolating repeat offenders is one of the most effective uses of your awareness budget.
Repeat Offenders Rate (ROR) is a behavioral metric tracking the % of employees failing multiple phishing simulations over a known time period.
It answers two important questions:
For example, if you have 500 employees and 25 employees fail two or more phishing simulations in six months, you would report a 5% repeat offender rate. Meaning, a statistically small group is responsible for the majority of the risk from phishing.
A high Repeat Offenders Rate is less about poor awareness of phishing risks and more about a gap in training effectiveness.
Employees may not know how to process all the information they receive in training; they might disengage, or they may not have learning content that fits their learning style or job context.
This isn’t a failure of people; it is ultimately a failure of targeting.
It is easy to roll up the phishing results as a coincidence and move forward. But letting repeat offenders go unaddressed is an amplifier of risk. Here’s why:
Breach probability increases: Those who consistently click on links are statistically more likely to be victimized in real attacks, especially those of a sophisticated manner, such as spear phishing or credential harvesting.
Compliance exposure: Regulatory frameworks, such as ISO 27001, GDPR, and NIST, all require that remediation and training have occurred for vulnerable users.
Operational drainage: The act of clicking carries with it incident response, time spent in SOC triage, and loss of productivity.
Cultural messaging: When nothing is done to remediate repeat offenders, the other users seem to believe that awareness training is a joke and not taken seriously.
This is where TSAT (Threatcop Security Awareness Training) can make this seamless and data-oriented.
TSAT is not about looking at phishing results as independent occurrences; rather, TSAT connects phishing results from campaign to campaign, allowing a timeline of behavior for every employee along our behavioral timeline.
Here’s how:
Simulation history: TSAT logs every phishing campaign, like employee encounters, checking who clicked, who flagged it, or who did nothing.
Trend mapping: The platform maps trends over time to assess identification. Tracking over time, we identify users who consistently fail or underperform.
Employee Vulnerability Score (EVS): An employee’s vulnerability score is based on repeated offenses that define a measurable source of human risk.
Managerial Reporting: The CISO and awareness managers receive dashboards that provide visuals about departments or individuals with repeated vulnerabilities.
After TSAT identifies your repeat offenders, the next action is personalized remediation, not public punishment.
Here’s how the best organizations successfully remediate repeat offenders:
Use TSAT to deliver additional phishing simulations to repeat offenders regularly, such as fake invoices phishing, internal memos, and social messages. Each simulation mimics a blank state, tests another psychological trigger, and evaluates to improve knowledge and behavior.
Directly tie the results back into TLMS (Threatcop Learning Management System). Provide one or two short, entertaining modules that resonate with the employee’s learning style and the risk they exhibited, like “Identifying internal Spoofs” or “Recognizing urgent language communicators.” Learning should build support, not remediation.
Pair repeat offenders with Security Champions, fellows who can provide guidance, discussion, reinforcement of communication, and awareness during moments of discussion. Learning from peers builds empathy and normalizes vulnerability.
Reward improvement rather than punishing mistakes. Small acknowledgements, like “Fast Reporter” badge or shout-outs in team meetings, help change behavior faster than threats ever could.
When it comes to repeat offenders, they’re not a failure; they need feedback.
They explain where your awareness message is not resonating and is an opportunity for a change in their behavior.
Consider shifting your focus from campus-wide compliance to engaging in targeted remediation support and awareness, and developing a learning culture that is empathetic and measurable.
Because in security, the goal is not to stop you from making mistakes, it is to learn from every mistake and change your behavior faster than attackers can exploit.
Reduce your highest risk group through targeted remediation. See how TSAT identifies and supports repeat offenders and turns every failure into progress.
A single fake CC line may be the difference between suspicion and successful breach. It all begins with the...
Malware has evolved far beyond simply being a virus. There has been a rise in the complexity of malware...
It all began with a small internal question. Why does this employee have a payroll record but no manager...