The Reality of Phishing Simulations

Written By Andrew Alaniz

Every organization runs phishing simulations. And every organization asks the same question when the results come in:
“Are our users susceptible to phishing?”

Let me save you some time. Yes.
Your users are susceptible. Mine are. Everyone’s are. That’s not a variable—it’s a constant.

So if we know that phishing is a persistent, people-centric threat, then why do we continue treating phishing simulation results as a proxy for overall social engineering risk? Spoiler: they’re not.

Phishing Simulations Aren’t Risk Metrics

Phishing tests are often used to answer:

“What’s our risk of compromise through social engineering?”

But here’s the reality: phishing simulations don’t measure that. They measure how many users clicked a simulated phish or reported it. Useful? Yes. But not definitive.

Because social engineering risk isn’t just about clicks. It’s about what happens after the click.

The Real Questions We Should Be Asking

If we want to meaningfully measure our risk from social engineering, we need to ask deeper, infrastructure- and process-level questions:

  • Was the phish reported, and how quickly?

  • If there was a payload, was it blocked by content filtering?

  • If it made it through, did our EDR detect it?

  • If it was executed, did our systems catch execution or persistence behavior?

  • Was lateral movement attempted—and did we detect it?

  • Did our helpdesk follow identity verification protocols before a password reset?

  • Were internal alerts triggered, escalated, or ignored?

These are your Key Risk Indicators (KRIs).
Not whether 10% or 3% of users clicked a test email. That number tells you something about training effectiveness—not risk posture.

Phishing Simulations Still Have Value

To be clear: I’m not saying stop running phishing simulations.
They absolutely have a place—just not as your primary risk metric.

They’re excellent for:

  • Measuring training efficacy over time

  • Reinforcing awareness

  • Identifying high-risk users for targeted coaching

But they are a training tool, not a risk diagnostic.

Final Thoughts

If you’re looking at phishing simulation click rates as your leading indicator of social engineering risk, you’re asking the wrong question. And you may be missing where the real gaps are—in detection, in response, in identity verification, and in resilience after compromise.

Your organization will always have users who fall for a phish. The real risk is what happens next.

Andrew Alaniz
Next

How to Think About Risk in Generative AI: It’s Not As New As You Think