Phishing simulations

Here are some references I use to support my negative view of Phishing Simulation [1]:

Perspectives:

• Sean Cassidy: Phishing simulations considered harmful
• Jamie Finnigan: Simulated phishing is not so great
• Yahoo Paranoids: Stop Giving Impossible Advice: Telling People to Watch Out for SUSPICIOUS EMAILS is Nonsense.
• Jacob Kaplan-Moss: Don’t include social engineering in penetration tests

Research:

• Phishing in Organizations: Findings from a Large-Scale and Long-Term Study

[1] Instead, roll out webauthn/Yubikeys