Defense in Depth How Do We Measure Our Defenses Against Social Engineering Attacks?
Oct 30, 2025
Bobby Ford, Chief Strategy and Experience Officer at Doppel, dives deep into the world of social engineering defenses. He discusses why traditional phishing click rates are flawed metrics and shares insights on measuring risk effectively, especially for high-impact users. Bobby emphasizes the importance of a tailored social engineering susceptibility score while exposing how AI is changing the landscape of personalized attacks. The conversation highlights building a security culture through collaboration and timely reporting, ultimately enhancing digital integrity.
AI Snips
Chapters
Transcript
Episode notes
Click Rates Are A Misleading Metric
- Phishing click rates are easy to measure but a poor standalone indicator of resilience.
- Mike Johnson warns they’re easily manipulated and don’t reflect real attacker behaviors.
Measure Reporting And Response Time
- Track reporting rates for real phishing and the speed of security team responses.
- Encourage reporting and close the feedback loop so users stay engaged and informed.
Attacks Move Beyond Email
- Social engineering now spans many channels beyond email, like help desks and SMS.
- Bobby Ford emphasizes email-only testing gives an incomplete view of organizational risk.