The Ubiquiti finance team had completed their training.
In June 2015, attackers impersonating company executives sent a series of emails to Ubiquiti's finance department. The messages looked legitimate. The language matched internal tone. The requests felt urgent and confidential. Over 17 days, finance staff authorized 14 wire transfers totaling $46.7 million to overseas accounts controlled by the attackers.
No systems were breached. No credentials were stolen. An internal investigation found no evidence of employee criminal involvement. The company's own SEC filing described it plainly: employee impersonation and fraudulent requests targeting the finance department.
The training didn't stop it. The completion rate didn't predict it. And the dashboard stayed green while the money left.
Completion rates measure the wrong thing
Here's what a 94% training completion rate actually tells you: 94% of your employees clicked through a module. It tells you nothing about whether they understood it, retained it, or would recognize the attack if it arrived in their inbox this afternoon.
This isn't a criticism of employee effort. It's a structural problem with how security programs have chosen to measure success.
Proofpoint's 2024 State of the Phish found that 68% of employees knowingly put their organizations at risk: reusing passwords, clicking links from unknown senders, handing over credentials. The key word is knowingly. These weren't employees who lacked awareness of the rules. They were employees whose training had changed their knowledge but not their behavior.
Awareness and behavior are different things. Security programs that conflate them are measuring activity and calling it risk.
What click rates miss
Phishing simulation click rates are more useful than completion rates, but they carry their own blind spots.
A click rate measures how an employee performs on a specific simulation, on a specific day, against a specific attack type. It doesn't measure how they'd respond to a vishing call on a Friday afternoon. It doesn't capture whether they'd recognize a deepfake of your CFO on a video call. It doesn't reflect what happens when the attack looks nothing like the scenario they trained on last quarter.
More importantly: the employees who click on simulations aren't always the employees who fall for real attacks. Someone who breezes through a simulated phishing email might wire funds without a second thought when a voice on the phone identifies as your CEO and creates enough urgency. A low click rate in your last campaign is not evidence that your AP team is safe.
A single data point from a single channel isn't a risk score. It's a snapshot of one behavior in one context, aged out the moment the next attack type emerges.
What a real risk signal looks like
Human risk isn't a moment in time. It's a pattern built from multiple signals over time. Any score that doesn't account for that is incomplete by design.
Simulation behavior across time and attack type. Did the same employee fall for two different simulations in six months? A phishing email in January, a vishing scenario in March? That's a pattern. A single click on a single simulation is noise. Repeated vulnerability across different vectors is signal.
Training engagement, not just completion. There's a meaningful difference between an employee who spent 12 minutes working through a scenario-based module and one who clicked through in four minutes at minimum speed. Completion captures the latter the same as the former. Engagement doesn't.
MFA posture. An employee who hasn't enrolled a second factor is a vulnerability regardless of their training history. That gap belongs in their risk picture. It's a concrete, measurable signal that predicts exposure, and it has nothing to do with whether they passed a phishing quiz.
Device and identity signals. Risky device states, unmanaged endpoints, shadow IT usage. These are observable behaviors that create real exposure. A risk score that ignores them is built on incomplete information.
Role-based exposure. A finance employee who handles outbound wire transfers carries different baseline risk than a developer with no payment access. A score that doesn't account for role is flattening the risk landscape in a way that misrepresents where the actual danger sits.
None of these signals live in a training completion dashboard. They require a different model entirely: one built to measure risk continuously, not to record that a box was checked.
Why legacy SAT programs can't build this
Legacy SAT platforms were built to track completion. That's not a design flaw; it's a design choice that reflects what those programs were built to sell. A dashboard of green checkmarks is the deliverable. Compliance documentation is the output. The program runs on a quarterly or annual cycle because that's how the contracts are structured, not because that's how risk works.
These platforms don't ingest your organization's identity data. They don't know your MFA posture. They don't have visibility into your device states or your behavioral telemetry. They don't know the difference between your AP team and your IT team.
The simulation results they do have – click rates, completion percentages – represent one input into a multi-dimensional risk picture. That one input gets packaged as a risk score and presented to the board as a measure of organizational security. It isn't. It's a measure of how employees performed on the simulation your vendor designed, run on the schedule your vendor set, against attack types your vendor chose.
The gap between that score and your actual risk exposure is where attackers operate.
A score that reflects real risk
Frame's Human Risk Score is a living number. Not a snapshot from last quarter. It’s a continuous signal built from every data point that actually predicts vulnerability.
What feeds it: every simulation result, every training completion and engagement signal, MFA enrollment status, identity signals, device posture, and behavioral telemetry from your connected security tools. The score updates as those inputs change, which means it reflects your org's risk posture right now. Not when you last ran a campaign.
What it produces: a per-employee score that tells you exactly who your riskiest employees are at this moment, by role, by department, by behavior. Not who completed training last month. Who is actually exposed today.
What happens next: when a risk score crosses a threshold, Action Plans fire automatically. The right training reaches the right person at the moment the signal appears – not at the next scheduled cycle, not when someone manually reviews a report. The loop closes without requiring a human to notice the gap first.
And when it's time to report to the board, the question is no longer "what percentage completed the module." It's: here is how risk changed across the organization over the last 90 days. Here is which roles are improving. Here is where exposure is concentrated. That's a conversation about security. The completion rate conversation was never really about security at all.
The Ubiquiti finance team completed their training. They wired $46.7 million to accounts controlled by people impersonating their executives. The dashboard said they were ready. The attack said otherwise.
Completion rates tell you who clicked "done." A real risk score tells you who would recognize the attack. Those are different things. And only one of them would have stopped the wire transfer.
