In many organizations, phishing simulations are seen as proof that a security awareness program works. Click rates are measured, failures are counted, and teams are compared. It sounds logical: phishing is a serious risk, so practicing it should make organizations safer. In reality, the opposite often happens.
“A click is not the real risk. The real risk is a click that no one dares to talk about.”
Instead of increasing safety, phishing simulations often create fear, frustration, and distrust. Not only among employees, but also between teams, managers, and security departments. This is not because simulations are inherently bad, but because they are frequently deployed without the psychological conditions required for learning.
Employees often experience simulations as a trap
For security professionals, a simulation feels like a learning opportunity. For employees, it often feels like a setup — a trick designed to catch them. And people who feel caught do not learn faster; they withdraw.
You see this everywhere. Employees become cautious and defensive. They hesitate to ask questions for fear of appearing incompetent. They report suspicious emails less frequently, worrying that it might be another test.
The irony is clear: a simulation meant to encourage reporting ends up discouraging it. Not because people don’t want to learn, but because the design of the simulation triggers the wrong behavior.
Why the wrong incentives create the wrong behavior
Awareness is not about flawless behavior; it is about openness and reporting. The goal is not zero clicks, but fast reporting when something goes wrong.
Yet many simulations are used as scorecards. Lists of “clickers” appear. Departments are compared. Sometimes employees are even reprimanded for failing a fictional test. The result is predictable: people avoid the topic. They may click less, but they also report less.
How phishing should work: trust over testing
The solution is not to abandon phishing simulations, but to redefine their purpose. A good simulation is a conversation starter, not an exam. The focus shifts from who clicked to how quickly incidents are reported and what can be learned.
When simulations are framed as learning tools, when mistakes are treated as opportunities, and when reporting is valued over metrics, trust emerges. And trust is the foundation of real security.
Phishing is a real threat. But phishing simulations only work within a culture of openness and respect. Not as traps, but as practice. Not as judgment, but as learning.
That is when organizations don’t just click less — they report more. And that is what truly makes the difference.