I work at a large professional services firm (think Big 4), so the risk of any single breach in our network is taken pretty seriously. Our IT department added an Outlook plugin years ago that you can use to immediately reporting phishing attempts to them. As a bonus, they'll sometimes send these "tests" and if you select to "Report Phishing", you'll get a atta-boy type notification. I would assume at a macro level, they have stats on everyone and know who the "riskier" employees are. I have no idea if this is done inhouse at other large companies.
Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?
Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?
Cool idea overall and wish you guys the best.