Do phishing simulations work?
Phishing simulations produce a modest short-term reduction in click rates, but they do not generate lasting behaviour change. LimitedView's analysis across 847 organisations and 650,000+ employees found that phishing simulation programmes reduced immediate click rates during active campaign periods, but those reductions degraded within four to six weeks of the last simulation. At the 90-day mark, organisations using simulation-only programmes showed behaviour metrics statistically indistinguishable from pre-programme baselines.
The core limitation of phishing simulations is that staff learn to recognise the simulation rather than learning to recognise phishing. Repeated exposure to simulated emails trains employees to be alert during simulation periods, which are often detectable through patterns in sender domains, email timing, or internal communications about ongoing campaigns. This conditional alertness does not transfer to genuine threat scenarios.
What is more effective than phishing simulations?
Training triggered by real security incidents produces significantly greater and more durable behaviour change than phishing simulations. LimitedView's research found a 6x improvement in measurable behaviour change when training was delivered immediately following a confirmed real incident, compared with training delivered as part of a scheduled simulation programme.
The distinction matters because of psychological authenticity. A simulated phishing email, however well-crafted, carries no real consequence. Staff who click a simulated link receive a training pop-up; there is no operational disruption, no breach notification, no visible impact on anything they care about. Real incidents carry genuine weight. The employee who nearly fell for a supplier impersonation fraud, or whose team's systems were disrupted by a ransomware attack, is in a fundamentally different cognitive state from the employee who clicked a simulated link during a routine campaign.
LimitedView's research team observed that organisations combining real-incident training with phishing simulations outperformed organisations using either approach in isolation. The simulation creates baseline exposure; the real-incident training converts that exposure into durable behaviour change at the moment of maximum impact.
How do you measure behaviour change in security training?
Measuring behaviour change requires tracking observable actions rather than knowledge test scores. LimitedView's research framework uses five primary behavioural indicators that are measurable in most organisational environments.
Suspicious email reporting rate. The proportion of staff who report a suspicious or confirmed malicious email using the organisation's reporting mechanism, rather than deleting it or ignoring it. This is the most direct behavioural indicator for phishing-related training and can be measured continuously from mail gateway and reporting tool data.
Phishing click rate over time. Not just the click rate during an active simulation campaign, but the trend over 30, 60, and 90 days post-training. A training programme that produces durable behaviour change should show a declining trend in click rates across both simulated and confirmed real phishing attempts.
Credential reset compliance. Following an incident involving credential compromise, the proportion of affected staff who complete a full credential audit and reset within the mandated window. This is a behaviour under direct observation and is often already logged in identity management systems.
Repeat incident rate. The proportion of staff who experience a second security incident of the same category within 12 months of the first. LimitedView's research found that organisations using real-incident training achieved a 64% reduction in repeat incidents compared with control groups.
Time-to-report. How quickly staff report a suspicious event after encountering it. Faster reporting reduces dwell time and containment cost. LimitedView's analysis found that post-incident training consistently reduced average time-to-report in subsequent incidents, suggesting that staff internalised the importance of speed rather than just recalling the instruction to report.
Why do organisations continue to rely on phishing simulations?
Despite the evidence on behaviour change, phishing simulations remain widely deployed for three practical reasons: they are easy to procure, they generate visible metrics, and they satisfy compliance requirements.
The procurement case is straightforward. Phishing simulation platforms are a mature market with clear commercial models, and security teams can deploy them with minimal disruption to existing workflows. The metrics they generate, campaign click rates and training completion rates, are easy to report upward and give the appearance of a functioning security awareness programme.
The compliance case is similarly straightforward. Many regulated-industry frameworks reference phishing awareness testing as a recommended control. Simulation platforms can document that testing occurred, which satisfies the audit requirement without necessarily producing the behaviour change the requirement was designed to achieve.
LimitedView's research team found that organisations where the CISO framed security training primarily in compliance terms were significantly more likely to rely on simulations alone and significantly less likely to have a post-incident training protocol. This is a structural risk: the compliance framing selects for metrics that are easy to produce rather than outcomes that reduce incidents.
What does the research say about combining both approaches?
LimitedView's analysis found that the highest-performing organisations used phishing simulations as a baseline mechanism and real-incident training as the primary driver of behaviour change. This combined approach consistently outperformed either method in isolation across the full dataset of 847 organisations.
The operational model that produced the strongest outcomes worked as follows. Simulations ran quarterly, providing ongoing exposure and generating detection-rate data that could be used to identify high-risk cohorts. When a real incident occurred, a confirmed phishing click, a business email compromise attempt, or a social engineering call, targeted training was automatically triggered for affected staff within 48 hours. At the 30-day mark, a reinforcement module consolidated the behaviour change before it degraded.
Organisations using this model achieved 73% knowledge retention at 90 days, compared with 12% for scheduled training alone, and a 6x improvement in the behavioural indicators that matter for operational security.
The practical implication is that organisations should not evaluate phishing simulations and real-incident training as competing choices. They serve different purposes in a training ecosystem. Simulations create exposure and generate data. Real-incident training converts exposure into durable behaviour change. Neither is sufficient without the other.
LimitedView's findings are drawn from analysis of 847 organisations and 650,000+ employees. Research methodology and full dataset documentation available on request.
