Mini Course

Advanced Insights and Tips for Measuring and Managing Employee Phishing Vulnerabilities

(…Are they worth doing? or is there a better way?)

A phishing simulation done wrong can be more trouble than it’s worth

Most IT professionals know that the most common method of trying to measure the vulnerability of employees is by using live phishing simulations. With so many vendors providing platforms for launching test emails and reporting on “click rates”, it seems like it should be easy to get good value from these initiatives. But that’s not often the case.

Don’t waste any more time trying to squeeze one more campaign in before the end of the month

Perhaps you’ve already tried using them, and have discovered some of the inherent pitfalls of live phishing simulations. Or maybe you are just trying to plan your first campaign, or are just exploring whether you should try them with your organization.

Before you do another campaign, why not spend a few minutes learning from the mistakes I’ve made, as well as ones I’ve seen others make? This series of short videos provides an advanced look at the things you should be doing to get the most value from live phishing simulation campaigns.

It’s time to look into the future of phishing assessments, and avoid these pitfalls… It’s easier than you think!

And if you feel like there are just too many hassles, and would like to try a more positive and immersive approach, you can go straight to Lesson 9, where I show you the future of phishing assessments and awareness tools.

If you have feedback on this series, please contact us at:

Let’s build you a self-defending team…

– Scott Wright, CEO at Click Armor

Lesson 1: Introduction

What you will learn from this series about advanced phishing assessment concepts.

Lesson 2: Objectives of phishing assessments

Why do organizations run them, and how they can help in managing cyber security risks.

Lesson 3: Identifiable Outcomes

What can you measure, and what can you teach with phishing simulations?


Lesson 4: Indirect (and unexpected) outcomes

What you might not realize can happen during a live phishing simulation campaign.

Lesson 5: The mistakes you don’t want to make

It takes planning to ensure that each campaign has the least likelihood of having undesirable results. You should know them all.

Lesson 6.1: Unexpected employee reactions

Employee penatration tests aren’t like system penetration tests.

Lesson 6.2: Impossibly difficult test messages

It’s not about proving how smart you are to your team.

Lesson 6.3: Embarrassing your employees

The boss clicked on WHAT?

Lesson 6.4: Confidentiality of raw test data

It’s sort of like a performance review.

Lesson 6.5: Legal and HR backlash

Ask GoDaddy, Chicago Tribune and others about unexpected backlash.

Lesson 6.6: Unpredictable security and spam filters

Are you getting “false positives” or “false negatives” due to dynamic technologies that handle messages?

Lesson 6.7: Inconsistent message difficulty

If you intend to be able to get trend data over time, this is the most critical thing to manage.

Lesson 6.8: Hot Button Impersonations

Should you impersonate operationally sensitive groups, or should you leave a gap in the scope of your tests?

Lesson 6.9: Curious and Rebellious Employees

How much should you worry about the impact of people clicking deliberately; or informing others of the test?

Lesson 6.10: Lack of Handling Guidelines

Is it a fair test if employees aren’t given useful direction on how to spot suspicious messages, and what to do about them when they find them?

Lesson 6.11: Easily spotted test messages can falsely indicate progress

When you do phishing simulations so often that people can spot them by the subject line, or other clues, you aren’t really testing their analytical skills.

Lessson 7: What have the empoyees who didn’t respond to a message’s content learned?

With the objective being to lower click rates, as programs progress, what are people learning and practicing?

Lesson 8: Time commitments and distractions for IT managers running phishing simulations

Managers severely underestimate the planning and contingencies needed to account for time spend ensuring phishing simulations are providing value.

Lesson 9: [Spoiler Alert] Improving on live phishing simulations with immersive phishing awareness

Once you understand the intricacies of live phishing simulations, you’ll see why gamification brings much greater value to meet your objectives. It’s the only way to move from having an “adversarial and confused” relationship with employees to having a “self-defending team”.

Lesson 10: How does gamified phishing awareness address the pitfalls of live simulations?

There are advantages over live phishing simulations for virtually every pitfall discussed in this series.

Lesson 12: Questions and Answers

Some common questions were asked during the recording of this series about phishing simulations and inclusive phishing awareness.

…To Be Continued

To ne notified when future lessons and courses are published, click the button below to receive our tips and news.