Gwen Betts
//
October 8, 2025
The Big Idea
- Phishing simulations are common, but research suggests they do little for phishing prevention. Knowledge decays quickly and high-pressure situations override what people have learned.
- Simulations can raise awareness, but they can also erode trust and leave people unprepared. Manipulative lures damage trust, and misleading metrics create a false sense of progress while real behavior stays unchanged.
- Cognitive security stops phishing by facilitating secure decision-making at the point of attack.
It neutralizes psychological tactics, builds trust over time, and leans into the natural agency of your people, all while measuring true behavior resilience.
Conventional wisdom says that practice makes perfect, which explains why most companies use phishing simulations. They believe that exposing employees to fake phishing messages in their inbox will, with practice, make them better equipped to identify and avoid the real thing when it inevitably arrives.
It sounds like a perfectly logical approach to phishing prevention and reducing human risk. But do phishing simulations work?
We now have a good answer following the release of the most comprehensive study of phishing prevention ever conducted. UC San Diego researchers created 10 phishing campaigns and sent them to almost 20,000 employees at a major health system. They concluded that previous phishing training did not reduce open rates at all, and embedding trainings in the simulated messages reduced those rates by just 2%.
Reduction in click rates over an 8 month period
Time spent by 75% of users on materials
Users that closed training immediately
Findings from G. Ho, A. Mirian, S. Savage, G. M. Voelker, and D. Wagner. (2025)
Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
G. Ho, A. Mirian, S. Savage, G. M. Voelker, and D. Wagner. (2025) // Source →
Basically, phishing practice did not make perfect. Given the ubiquity of phishing simulations and the significant time and expense spent creating them, these results are alarming, but they don't tell the whole story. Phishing simulations have flaws, yet they also have value, especially as part of a multi-pronged approach to social engineering and human risk prevention.
Let's examine where phishing simulations help, where they hurt, and what actually works.
The Positive Side of Phishing Simulations
Imagine a scenario where phishing simulations didn't exist at all. People would hear about these malicious messages, but they would have little to no first-hand experience with unusual emails arriving in their inbox, and no practice trying to spot the red flags.
Little experience with phishing only makes people less equipped to avoid it, so companies need to simulate phishing to some extent, and it can be a valuable tool when done correctly.
- Some people are more perceptive to phishing than others, but simulations ensure that everyone has the same baseline understanding of tactics and techniques.
- Simulations can also generate valuable data about phishing weaknesses to bolster security controls and training programs.
- They can even be a valuable diagnostic tool, helping to identify who could benefit from additional training and education.
For all these reasons, phishing simulation isn't going away. In its current iteration, however, there's substantial room for improvement.
Why Phishing Simulations Go Sideways
If phishing simulations do so much to raise phishing awareness, how come they do so little to reduce phishing failures?
The Trust Gap
Part of the blame goes to poor simulation designs. Phishing lures can prey on people's emotions, whether positively ("Click here to collect your bonus!") or negatively ("Notice of Termination"). Either way, they cause people unnecessary distress, bury the lesson underneath the emotion, and create a trust gap between the workforce and security team.
People hate being manipulated this way, so it's no surprise that phishing isn't fixed.
For example, GoDaddy faced a worldwide PR backlash in 2021 which damaged both employee and customer trust after sending out a fake phishing email promising a $650 holiday bonus the company had no intention of paying.
Knowledge Decay
That said, even well-designed simulations can often fall flat. Knowledge decay is a common problem, meaning lessons learned from training and simulations get forgotten by the time they could help prevent a real phishing attack. Yet even with a perfect memory, seeing through sophisticated, AI-driven phishing campaigns isn't easy for anyone, and simulations provide no protection when the stakes are real.
We find that SETA (Security Training, Education, and Awareness) programs can increase employees' cybersecurity knowledge by 12-17%, but the increment wears off within a month.
Sikolia, D., Biros, D., & Zhang, T. (2023) // Source →
The Halo Effect
In practice, phishing simulations are valuable for training and analysis but not so much for phishing prevention and human risk reduction. Security teams sometimes misunderstand this fact due to a halo effect, where they credit simulations for security wins when something else, often luck, is actually responsible.
A 2022 NIST technical report investigated how U.S. federal agencies measure the effectiveness of their security awareness programs beyond mere compliance metrics. The findings? Although nearly half of respondents viewed compliance as the main measure of success, many participants expressed concern that compliance metrics like completion rates fail to reflect lasting shifts in attitudes or behaviors, despite this being the true objective of security awareness training methods like simulations.
The Perfect Storm Undermining Simulations
These three forces combine to make phishing simulation what it is today: everywhere, but rarely effective. Trust gaps keep employees skeptical. Knowledge fades faster than it's reinforced. Halo effects give teams the illusion of security without the substance of real behavioral change. The result? A program that's busy but not better, and a signal that it's time to rethink how we train people to spot deception.
After years of trying and largely failing to stop phishing, it's clear we need to do things differently. And by looking at what isn't working about phishing simulations, it's also clear what the solution looks like.
Cognitive Security Starts Where Simulations Stop
If you can't stop phishing by training people before or during the simulation, how do you address this real and growing human risk? The answer seems obvious: by giving people guidance at the moment of risk instead of relying on their memory to recall training.
That's the core concept behind cognitive security. Rather than teaching people to spot phishing lures and hoping they remember that information when it counts, cognitive security looks for signs of deception and intervenes at the point of action, when someone's decision-making is at risk of being hijacked.
Cognitive security supplies people with the context, information, and the guidance they need to make secure decisions in high-risk moments. People don't have to scour their memory or become masters at spotting manipulation. Instead, they get smart security guidance exactly when they need it most: right before they do something wrong.
Unlike the prescriptive nature of phishing simulations, cognitive security takes a prevention-first approach designed to drastically reduce the frequency of successful phishing attempts.
Here's how:
- Protects and Extends Agency to Your People: Catching mistakes in the moment, rather than later during incident escalation, helps people prevent or fix their mistakes before they have consequences and avoid the embarrassment of "failing" at phishing.
- Neutralize Psychological Tactics: Bad actors will use emotion and manipulation to trick people into making bad decisions, but cognitive security is there in those moments to anchor decisions in rationality and highlight hard-to-see red flags. It also diffuses cognitive overload, when people get flustered trying to remember training exercises and policy rules.
- Builds Trust Over Time: Giving people a security assistant instead of another security assessment helps build important trust with the organization which in turn leads to more respect for cybersecurity and fewer incidents, phishing or otherwise.
- Measures What Really Matters: Cognitive security measures success by what matters most, reductions in risky actions like opening phishing emails and negative outcomes like downloading malware, rather than measuring human risk by test results.
On their own, phishing simulations can lead to vanity metrics, forgotten lessons, and a false sense of security. When combined with a cognitive security solution like Maro, however, phishing simulations become a potent training resource, backed up with tools at the point of attack that make human decision-making into the strongest defense of all.
What's Next: Exploring Cognitive Security
More than just a complement to phishing simulations, cognitive security is one of the most exciting concepts in cybersecurity right now, with huge implications for handling human risk and stopping advanced threats in the age of AI. Plus, it represents a more streamlined and economical approach to security, deploying resources strategically instead of expansively.
Want to dive deeper into cognitive security? Choose your next adventure.
