Skip to main content
  • Cybersecurity

CIRA Cybersecurity Awareness Training 2021

What is CIRA Cybersecurity Awareness Training?

Training employees how to recognize and report cyber threats is a critical defence tactic now used by many IT teams. In 2019, CIRA partnered with Beauceron Security to provide CIRA Cybersecurity Awareness Training platform to Canadian organizations.


About this White Paper

We are pleased to provide a report using aggregate data from the training platform. Data from surveys, phishing simulations, and courseware, gives us a window into users’ cybersecurity behaviours.

Unlike other data-based phishing reports out there, our findings have a uniquely Canadian focus.


How to use these findings

Whether you are thinking of starting a training program or looking to make some informed changes to your existing one, this report can help with key benchmarks and decisions to reduce cyber risk in your workplace.


Data is from January 1, 2021, to September 30, 2021, unless otherwise indicated. The majority of users are located in Canada, working in a variety of sectors including finance, municipalities, healthcare, education.



The data in this report is anonymously sourced from three components of our training platform: 

User surveys 

Aggregate responses and more (8,000+ response from 120+ organizations)

Phishing simulations

Report rates, click rates and more (126,000+ phishes sent to 21,000+ users in over 140+ organizations)


Completion rate, quiz scores, and more (16,000+ courses completed)


How phishing simulations work

Our platform sends automated phishing simulations to users as an exercise to help build the habit of recognizing common phishing tactics (such as urgent requests, typos or out-of-date logos) and reporting suspicious emails to IT.

Want to learn more about the process? Check out our flow chart showing the various scenarios and outcomes if a user reports or clicks a suspicious email.

Click rates are reduced 60% in one year

Click rates are one metric commonly tracked by IT teams when measuring the effectiveness of an awareness training program. The goal is that users will learn to avoid clicking on suspicious links (links that would lead to a virus or ransomware, if it were a real phishing email), resulting in a decreased in click rate.

Phishing simulation click rates over time:  

  • Benchmark at the beginning of training*: 8.2%
  • After 90 days: 4.5%
  • After one year: 3.3%

*As a part of the standard onboarding training program, users are sent three phishing simulations within a short time frame. Data collected for this section of the report is pulled from 2019 to 2021.

Many organizations run automated phishing, sending one email to a user per month. The data shows that with regular phishing simulations, clicks are reduced significantly in one year of training.

This is backed up by findings from the CIRA 2021 Cybersecurity Survey, which shows that nearly all IT professionals (95%) believe that end-user training is effective in reducing incidents and/or risky online behaviour.

Quick to click

Our data found that if a user clicks on a link in a phishing simulation, they are likely to do so the same day it was sent – 24% will click within the first hour and 78% click within 24 hours. Compare that to if a user reports a phish, 69% are reported within 24 hours.

If a real phish makes it past spam filters, reporting it to IT ASAP can help protect the entire organization. Users are your first responders and training them to report a suspicious link means it can potentially be removed or blocked before it impacts others.


Supplemental learning

A favourite weapon used by cyber criminals and social engineers is creating a sense of urgency. As training progresses, users should start to recognize if they are feeling pressured by an email, and slow down and look for other cues that indicate that this suspicious email is a phish.

In fact, if a user does click on a phishing simulation, they are able to learn what red flags they missed by viewing the phish cues in our platform – so they can know what to look out for next time!

Admins also have the option to automatically assign supplemental training courses (related to the content and tactics used in the simulation) to turn these incidents into a learning moment.

Caution to clicking before coffee

Another nefarious tactic is to target users who may not be fully alert yet—early in the morning. From a previous analysis, we know that the most dangerous time of day for clicking on phishing simulations is from 8 a.m. to 9 a.m.

Top-clicked phishing simulations 

The platform contains 150+ pre-built phishing emails that are sent through our automated phishing program.

Here are the subject lines of the top phishes that users clicked on:

  1. Sharepoint File Via SharePoint – 28% clicked
  1. Job Opportunity – 21% clicked
  1. URGENT: Phishing Incident – 17% clicked

For context, across all phishing simulations sent, the average click rate is 5%.

Each of these top phishes is very different in what tactics are being employed to get users to click. The first one is masquerading as an everyday business process notification, the second one is presenting an exciting opportunity, and the third is inciting immediate action using fear and urgency tactics. Employees should be on the lookout for all types of common phishing tactics.

Top-reported phishing simulations 

It’s also interesting to see which type of phishing emails users successfully reported to IT. These simulations weren’t fooling too many people, but they gave users an opportunity to keep practicing the habit of reporting emails to IT.

Email subject Report Rate Difficulty level*
Order Confirmation – Kitchen to Desk Catering 51% Medium
RE: Funds Transfer 49% Low
AirBnB Host Confirmation 38% High


*Phishing difficulty levels

Each phishing simulation is ranked in difficulty from low to high using the NIST Phish Scale. If an email contains many red flags (or phish “cues”), then it is considered an “easy” phish – easy to spot. The platform deploys adaptive phishing, meaning users will receive easy phishes to start and progress to more difficult phishes if they continue to successfully report them. Taking a look at the top three reported phishes, they all vary in degree of difficulty. It seems like our users are pretty savvy at recognizing even a difficult phish!

Survey analysis

Our platform sends surveys to users and collects the data, enabling administrators to view aggregate data to make informed decisions about their cybersecurity practices. Informed decisions allow them to focus on the organization’s biggest gaps.

A survey that users complete during onboarding training asks them questions about their current behaviours and attitudes regarding cybersecurity – such as – Do you reuse passwords?. Taking a look at key findings, we can identify some common cybersecurity behavioural challenges IT professionals are facing.

71% agree that their organization is a target for cybercriminals  

Understanding what’s at stake – that the decisions you make and actions you take as someone that deals with any type of data or makes any sort of transaction in your workplace – is critical to recognizing the need for following cybersecurity best practices.

For the 4% respondents who indicated that they don’t agree their organization is a target for cyber criminals – we have some bad news. Any organization is a target.

Here are a few reasons why people might think this way: 

A bias in the media

A hack affecting a large company with thousands of customers is more likely to get reported in the news

A feeling that their data is less of a target 

Just because an organization has few employees doesn’t mean their data isn’t valuable.

Not understanding that untargeted, mass attacks are a numbers game

Yes, some attacks are targeted toward specific companies. However, some are also just criminals casting a wide net. And in fact, small businesses are more likely to have less sophisticated security controls in place without a dedicated IT team.

34% think that cybersecurity is mostly an IT issue 

Taking the lead on cybersecurity certainly falls in IT’s function, but everyone in a workplace that has access to a device or program has a critical role to play in keeping data secure. IT can assist in setting up spam filters, single sign-on, and more – all individuals are a potential vector for attack.

Only 18% use a password manager

The resistance to password managers is strong, and reasons range from not trusting them to not being aware they exist. The truth is, not many humans can remember the 100+ passwords they use for accounts at work, and password managers are widely recommended by IT professionals.

Cybersecurity Courses

There are over 100 pre-built courses provided in the platform, covering a variety of topics from Account Security to Zoom. By examining course and quiz completion data, we can identify some trends in how users participate in this key part of training.

If at first, you don’t succeed…

Take another quiz! Users that don’t get a passing grade (set by default to 80%) the first time around still get an opportunity to complete the course by taking a second quiz with a different set of questions. This process enables users to be empowered to learn something new instead of feeling discouraged that they didn’t get a passing grade.

Here’s a breakdown of how many people retake the courses in our onboarding workflow:

  • Cybersecurity 101: The World of Cybercrime – 24% retake
  • Cybersecurity 102: Hacking Humans – 13%
  • Cybersecurity 103: Malware –23%
  • Cybersecurity 104: Securing Yourself – 13%

Same day completion

Taking a look at our Cybersecurity 101 course, 79% of users are keen to get the training done and complete it the same day it’s assigned.

  • Same day – 79%
  • One week – 87%
  • One month – 94%
  • One quarter 99%

We’ve intentionally designed our onboarding courses to achieve a high rate of completion. Here are a few reasons why the completion rate is so high:  

Short courses

Courses are kept to a reasonable time frame of 5-15 minutes to complete. Long enough to cover topics in detail, but short enough to keep users engaged and not be a distraction from their daily jobs

Gamified training

Training is gamified, so when a user completes a course, they are rewarded with a decrease in their cyber risk score, which goes up or down based on their training activity.

Interactive training

Training is interactive, with video options available and quizzes to test users’ knowledge.

IT professionals want users to know about privacy and emerging threats

Most frequently assigned courses, outside of onboarding training or automatically assigned remediation training

  1. Social Media-based Attacks
  2. Privacy in Practice
  3. Privacy Basics
  4. Password Hygiene
  5. Privacy in Law

With criminals looking beyond traditional sources and turning to sites like Facebook and Twitter to steal personal information and spread scams, education on common tactics is critical. Users taking this course learn about common scams, how to recognize them, and read about an example from an attack involving a major Canadian brewery.

Privacy is also clearly a hot topic. Understanding how data is the currency of the 21st century – and how important it is for customer and sensitive data to be protected – is essential for pretty much every job out there.

Start training today

If you’d like to learn more about training or get a quote, contact us and a member of our team would be happy to meet with you.

Book a meeting

Discover the platform

Get a preview of our platform, its features, some sample phishing templates and more.

Watch ten-minute demo


Learn about cyber insurance

Watch our webinar with guest speaker and insurance defence and coverage lawyer, Mikel Pearce to learn what cyber insurance covers and how it supplements cybersecurity best practices like user training.

Watch webinar recording

5 steps to implement training

If you’re facing the challenge of getting your users motivated, there are some great tips on how to encourage employees to complete training in CIRA’s guide