An article on CSO Online this week caught my attention and raises an excellent question. That being, "what is a good success rate in your phishing test campaigns?"
I had this exact discussion with an FDIC Examiner about a month ago when my client had a 14% click rate on a recent phishing test. The examiner's point, and a valid one, was that "it just takes one" (meaning that any clicks in a test should be concerning).
The article discusses this and gets feedback from several industry experts on their philosophies on what should be the goal, and what is attainable in testing your users in social engineering.
My opinion is one of continuous improvement and risk reduction (as opposed to risk elimination). Nothing is 100% secure, especially humans. Working on a training plan that is moving your click rate lower and lower over time, combined with defense-in-depth strategies, is more of a practical approach.