Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Scaling the Phish: Advancing the NIST Phish Scale



Fernando Barrientos, Jody Jacobs, Shanee Dawkins


Organizations use phishing training exercises to help employees defend against the phishing threats that get through automatic email filters, reducing potential compromise of information security for both the individual and their organization. These exercises use fake and realistic phishing emails to test employees' ability to detect the phish, resulting in click rates which the organization can then use to address and inform their cybersecurity training programs. However, click rates alone are unable to provide a holistic picture of why employees do or do not fall for phish emails. To this end, the National Institute of Standards and Technology (NIST) created the Phish Scale methodology for determining how difficult a phishing email is to detect (Greene et. al. 2019). Recent research on the Phish Scale has focused on improving the robustness of the method. This paper presents initial results of the ongoing developments of the Phish Scale, including work towards the repeatability and validity of the Phish Scale using operational phishing training exercise data. Also highlighted are the ongoing efforts to minimize the ambiguities and subjectivity of the Phish Scale, as well as the design of a study aimed at gauging the usability of the scale via testing with phishing exercise training implementers.
Proceedings Title
HCI International 2021 - Posters
Conference Dates
July 24-29, 2021
Conference Location
Washington, DC, US
Conference Title
Human Computer Interaction International 2021


Usable Cybersecurity, Cybersecurity Awareness Training, Phishing, NIST Phish Scale


Barrientos, F. , Jacobs, J. and Dawkins, S. (2021), Scaling the Phish: Advancing the NIST Phish Scale, HCI International 2021 - Posters, Washington, DC, US, [online],, (Accessed May 25, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created July 3, 2021, Updated November 29, 2022