Subscribe to the Non-Human & AI Identity Journal

Why do phishing simulations often fail to change behaviour?

They fail when they are generic, delayed, or disconnected from the attacks employees are actually seeing. Behaviour changes when training mirrors the same lure patterns, roles, and urgency cues that attackers use. If the content is too abstract or arrives too late, the lesson no longer matches the threat.

Why This Matters for Security Teams

Phishing simulations are meant to reduce risk, but they often become a compliance exercise instead of a behaviour-change tool. The problem is not simulation itself, but poor targeting: generic lures, predictable timing, and weak follow-up rarely teach people how real phishing works. NIST SP 800-53 Rev 5 Security and Privacy Controls emphasises awareness and training as part of a broader control system, not a one-time event, which is the right lens for evaluating these programmes.

For security teams, the real issue is whether simulations improve decision-making under pressure. If employees only learn to spot obvious templates, attackers will simply use more convincing lures, different channels, or role-specific pretexts. Effective programmes need to reflect actual exposure, including finance, HR, executive, and IT workflows, because behaviour is shaped by context, repetition, and feedback. In practice, many security teams encounter the weakness only after a real phishing incident exposes the gap between training content and attacker tradecraft, rather than through intentional measurement.

How It Works in Practice

Behaviour changes when the simulation is treated as part of a control loop: observe the threat, test the audience, measure response, and adapt the intervention. Current guidance suggests the best simulations are aligned to live attacker patterns and tuned to job function. That means one team may see invoice fraud, another may see cloud login prompts, and privileged users may need scenarios involving credential resets or approval abuse.

Operationally, the programme should be built around a few practical steps:

  • Use role-based lures instead of a single company-wide template.
  • Vary delivery times and channels so people do not learn the pattern.
  • Pair simulations with immediate, specific feedback that explains the telltale signs.
  • Track both click rates and reporting behaviour, since fast reporting is often more valuable than perfect avoidance.
  • Connect findings to security awareness, email controls, and incident response processes under a framework such as the NIST SP 800-53 Rev 5 Security and Privacy Controls.

For broader phishing resilience, teams can also map attack patterns to MITRE ATT&CK techniques, especially email delivery, credential harvesting, and social engineering paths described by MITRE ATT&CK. That helps security teams test detection and response, not just user clicks. The key is to treat each simulation as input to a measurable improvement cycle, not as a scorecard for shame. These controls tend to break down when simulations are run as mass campaigns with no linkage to current threats because the learning becomes abstract and quickly forgotten.

Common Variations and Edge Cases

Tighter simulation targeting often increases programme overhead, requiring organisations to balance realism against workload, privacy, and fatigue. That tradeoff matters because the most realistic exercises can also feel intrusive if they are not governed carefully.

There is no universal standard for how aggressive simulations should be. In regulated environments, especially where employee monitoring or disciplinary action is a concern, best practice is evolving toward transparent governance, defined approval paths, and separation between learning metrics and punitive processes. Some organisations need different treatment for contractors, high-risk roles, or multilingual workforces, since a single message may not be equitable or effective. Others may find that senior executives need more tailored scenarios because attackers often target authority, urgency, and exception handling rather than generic password theft.

Behaviour change also weakens when simulations are too infrequent or too predictable. If the lesson arrives weeks after the event, the feedback loop is broken. If the same format repeats, people learn the test instead of the threat. More mature programmes therefore blend simulations with short just-in-time coaching, reporting reinforcement, and threat-informed awareness content. For organisations handling identity-heavy workflows, such as finance approvals or privileged access, pairing simulations with identity and access process reviews can expose where human judgement and control design fail together.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AT-01 Awareness training is central to changing user response to phishing.
MITRE ATT&CK T1566 Phishing simulations should mirror real phishing delivery techniques.
NIST AI RMF GOVERN Behaviour-change programmes need governance, ownership, and measurable accountability.

Deliver recurring, threat-informed awareness training and measure whether reporting and decisions improve.