Employee Security Index (ESI®): The security awareness indicator

Employee Security Index (ESI®): Die Security-Awareness-Kennzahl

What is the Employee Security Index (ESI®)?

The ESI® ...

Against what, under what conditions and to what degree are you safe? This question poses greatchallenges when it comes to securing the company and investment decisions. IT-Seal has developed abenchmark, the 'Employee Security Index' (ESI®), for the area of social engineering and phishing awareness.

The Employee Security Index is based on a standardized framework that takes into account different types of attackers by simulating many different attacks with different preparation times. For this purpose, hundreds of different attacks with different levels of difficulty are created and sent (patented) to our customers fully automatically. We make sure that each participant receives a different e-mail and thus exclude the corridor radio – which effectively increases security but falsifies the measurement considerably.

Play Video
Our video explains the ESI® in two minutes
Why are we doing this?
Individual phishing simulations can quickly lead you astray: click rates can vary greatly from e-mail to e-mail - this is especially true when internal information is used. Depending on the subject, writing style, specific sending time, design or sender, employees either click quickly or not at all. It is easy to create a phishing e-mail that 80 percent of employees click on or one that only 2 percent got tricked form it. However, this does not yet allow a statement to be made about how good the employees really are, but only about how well the phishing e-mail fitted the bill. In order to be able to make a statement about how good the security behavior of the employees really is, it is therefore necessary to carry out a large number of different attack simulations. This is the only way to filter out individual "lucky hits". The results of these many different attacks are stored accordingly in the ESI®® illustrated in the colours of the traffic light.

How does the Employee Security Index (ESI®) work?

The ESI® makes security awareness training measurable based on scientific data.

Standardization as the basis for measurability

To make security awareness measurable, a realistic simulation of attacks is indispensable. Individual attacks should also be comparable with each other - only then can a measurement over a longer period of time provide information about the development of security awareness.

In order to make social engineering attacks comparable, we classify them into different categories. The decisive factor here is the preparation time that a criminal must invest in the preparation and execution of an attack scenario.

This consists, for example, of the procurement of information (OSINT), technical preparation, copying of designs (clone phishing), and the provision of the infrastructure. Thus, five categories can be divided, each of which corresponds to a preparation time of approx. 1, 3, 10, 20 and 40 hours.
The table shows the effort of spear phishing mails
Overview of the preparation time for phishing attack scenarios
Der ESI® kategorisiert die Security Awareness.
Evaluation at a glance: the ESI®® arbeitet mit vier Kategorien

Procedure for determining the ESI®

  • Each member of an employee group receives several individual spear phishing emails in different levels of difficulty
  • The reaction (the behaviour of security) of the employees is measured
  • The behavior regarding the different levels of difficulty is set in relation to an "exemplary" test group, which is assigned an ESI® of 90

  • With a security behavior with twice the error rate compared to the "exemplary" test group, an ESI® of 80 is achieved, with a three times as high error rate an ESI® of 70 and so on

Critical average level shows need for action

An analysis of more than 75,000 simulated e-mails provides a revealing insight into the security behavior of individual departments, as shown in the figure on the left across the company.

All test groups show critical phishing awareness, with an average Employee Security Index of 46.2. While the HR, IT and finance departments perform above average across the company, the managers, assistants and the C-level stand out at the lower end.

The Employee Security Index shows the security awareness level of different departments.
Determination of the Employee Security Index as part of a four-week phishing simulation for various departments.
Der Ziel-ESI definiert ihr Sicherheitsniveau
You define the goal, we take care of the rest

The ESI® in the Awareness Academy

With the help of the Awareness Academy you define a goal-ESI®, which we will achieve together with you. Inaddition to our phishing simulation, we also use other security awareness measures, such as short videos,face-to-face training and e-learning.

The ESI® thus represents a control instrument which allows tocontinuously monitor the security awareness in companies. The effectiveness of individual training measurescan be reviewed and concrete needs can be identified. The anonymous evaluation of the results on a groupbasis contributes to employee protection. Communication with both management and staff is facilitated by atangible key figure: a quantitative analysis of security awareness offers a direct comparison with othercompanies in similar industries and can thus be used as a basis for decisions on further investments.


Our whitepaper about the Employee Security Index
The whitepaper is about the Employee Security Index (ESI®). It provides you with factual and scientifically information about the advantages of our benchmark.
Our whitepaper about the Employee Security Index


The whitepaper is about the Employee Security Index (ESI®). It provides you with factual and scientifically information about the advantages of our benchmark.

Klingt gut? Dann machen Sie den kostenfreien Test!

Ordern Sie unverbindlich eine Spear-Phishing-Simulation, einen E-Learning-Testzugang und/oder einen Awareness-Manager-Testzugang.

Danke für Ihr Interesse an IT-Seal.

Bitte wählen Sie aus, welche Publikationen wir Ihnen per E-mail zukommen lassen dürfen:

Erfahrungen & Bewertungen zu IT-Seal GmbH