I’ve seen raw data from phishing tests shared without being secured.

In organizations that have policies such as “three strikes and you’re out”, meaning termination, this information is VERY SENSITIVE.

Data about phishing simulations seems to be much more tempting for people to share than any other kind of learning or assessment data.

It’s likely because there is a specific story attached to a live phishing test that relates the situation to an individual’s performance.

It is best to create a set of aggregated phishing test data for groups of people (at least 20 per group), rather than to report raw data or even summary data on small groups. Then delete the raw phishing test data after it is no longer needed.

This may seem obvious, but most organizations are too vague in their guidance to employees, and rarely try to reinforce it.

Unless employees are in externally facing roles, where they receive many external inquiries, they are not often thinking about this.

You need to be constantly reminding employees about what they should look for in sender addresses, link URLs or body content.

Without this guidance, you should expect random fluctuations in their ability to avoid suspicious messages in phishing tests.

Testing people on knowledge they have rarely seen is unfair and unproductive.

You should be using an awareness program that provides ongoing, practical tips and allows them to practice using them to spot threats in a safe environment.