Phishing simulations

Here are some references I use to support my negative view of Phishing Simulation [1]:



Commentary: * Good phishing simulations are dependant on a good lure. Meaningful lures involve major threats or inticements, both of which can hurt the end user when followed by the "gotcha" page. * Phishing simulations may be needed to check a box for legal, contractual, or compliance requirements. It's up to you to fight the first two getting put in place. * Measuring clicks is bad simulation - we mostly care about credential submission or execution of a binary. Simulation vendors often over-emphasize clicks as "bad." * Consider gamifying phish detection, as one alternative

[1] Instead, roll out webauthn/Yubikeys