Phishing Risk Assessment Calculator

Estimate your organization's phishing risk score and expected annual phishing incidents based on workforce size, security awareness training, email volume, and existing controls.

Number of Employees

Security Awareness Training Frequency

Baseline Phishing Click Rate (%) Industry average without training: ~30%. With training programs: 10–15%.

Phishing Emails Received Per Employee Per Day Average office worker receives ~4 phishing emails/day (Tessian 2021).

Spam/Email Filter Effectiveness (%) Modern email filters block ~85–99% of phishing emails.

Multi-Factor Authentication (MFA) Deployed?

Average Cost Per Phishing Incident (USD) IBM 2023 reports average phishing incident cost ~$4.76M for breaches; smaller incidents average $1,600–$17,700.

Formulas Used

1. Training Reduction Factor:
trainingReduction = min(trainingFrequency × 0.05, 0.70)
Each annual training session reduces the baseline click rate by 5% (relative), capped at 70%.

2. Adjusted Click Rate:
adjustedClickRate = baselineClickRate × (1 − trainingReduction)

3. Annual Emails Reaching Employees:
emailsReaching = emailsPerDay × employees × 365 × (1 − filterEffectiveness)

4. Raw Clicks (Potential Incidents):
rawClicks = emailsReaching × adjustedClickRate

5. Successful Incidents (after MFA):
successfulIncidents = rawClicks × (1 − mfaMitigationFactor)
MFA mitigation: None=0%, Partial=40%, Majority=70%, Full=90%

6. Risk Score (0–100):
riskScore = min((successfulIncidents / employees) / 50, 1) × 100
50 incidents per employee per year represents maximum (score = 100).

7. Annual Financial Exposure:
annualCost = successfulIncidents × costPerIncident

8. Phishing Exposure Index (PEI):
PEI = (emailsReaching / employees) × adjustedClickRate
Average annual phishing exposures per employee.

Assumptions & References

Baseline phishing click rate without training averages ~30% (Proofpoint State of the Phish, 2023).
Each security awareness training session reduces click rates by approximately 5% (relative), with diminishing returns capped at 70% total reduction (Proofpoint, 2023; SANS Security Awareness Report, 2022).
Average office worker receives approximately 4 phishing emails per day (Tessian Human Layer Security Report, 2021).
Modern email security gateways block 85–99% of phishing emails (Gartner Email Security Market Guide, 2022).
MFA mitigates approximately 99.9% of automated attacks and ~90% of targeted credential phishing when fully deployed (Microsoft Security Intelligence Report; CISA MFA Guidance, 2023).
Average cost of a phishing-related security incident ranges from $1,600 (small incidents) to $4.76M (full breach); IBM Cost of a Data Breach Report, 2023.
Risk score normalization assumes 50+ successful incidents per employee per year represents maximum organizational risk.
This calculator provides estimates for planning purposes only and does not replace a professional security risk assessment.

Phishing Risk Assessment Calculator

Formulas Used

Assumptions & References

In the network

Network

Phishing Risk Assessment Calculator

Formulas Used

Assumptions & References

More Calculators

In the network

Network