definitely believe that click rates are dead. we've been tracking email click rates for the past 20 years and we all know that it only takes one click. we also know that employees work outside of email. We know that. We know that they they conduct business outside of email.

we also know that if you look at some of the the most recent largecale attacks that we've seen, those attacks didn't happen via email. they happen via help desk or they happen via WhatsApp. And so as a result of that, you can't say I'm going to rely solely on click rates to determine whether or not I have a robust social engineering defense program. what what I like to call it is social engineering susceptibility.

And therefore, every organization I believe should look at ways that their employees work, look at ways that their employees socially engage and then come up with a metric that captures all of that and then reports that back to the board so that you say, "Hey," and it's a process, so you got, you know, you have to do it slowly, but you educate whatever board you report to or whatever audit committee you report to, and you say, "No longer, hey, we're converting from tracking click rates because that only tells you one piece of the equation and we're now looking across all the ways our employees work and we have a social engineering susceptibility score.

We can double click on the areas where we're most likely to to to fall victim to a social engineering attack. But we're going to track this social engineering susceptibility score almost like a credit score and then develop a program to help it go down unlike a credit score where you want it to go up.