Phishing Attack Exposure Calculator
Estimate your organization's phishing exposure risk score and expected annual phishing incidents based on workforce size, security controls, and historical data.
Formula
1. Annual Phishing Emails Reaching Inbox
Emails = Employees × 52 × FilterPassRate × IndustryMultiplier
2. MFA Protection Factor
MFA_Protection = 1 − (MFA_Adoption% / 100) × 0.99
3. Expected Annual Compromises (Model)
Compromises = Emails × TrainingClickRate × MFA_Protection
4. Bayesian Blend with Historical Data
Blended = 0.6 × ModelCompromises + 0.4 × ObservedIncidents
(only applied when historical incidents > 0)
5. Exposure Risk Score
RiskScore = min(100, (Blended / Employees) × 100 × IndustryMultiplier)
Assumptions & References
- Industry benchmark: ~1 phishing email per employee per week (Verizon DBIR 2023).
- Untrained click-through rate ≈ 90%; continuous simulation programs reduce this to ~15% (Proofpoint State of the Phish 2023).
- MFA blocks approximately 99% of credential-based account takeovers (Microsoft Security Report 2023).
- Email filtering pass-rates are approximate; ATP solutions block ~65% of phishing attempts on average (Gartner 2022).
- Industry multipliers reflect relative targeting frequency per APWG Phishing Activity Trends Report 2023.
- The Bayesian blend (60/40) weights the model estimate more heavily when historical data is sparse; adjust weights for larger incident datasets.
- Risk score is normalized per employee to allow comparison across organizations of different sizes.
- This calculator provides an estimate only and does not replace a formal security risk assessment.