Phishing Simulations: A Teachable Moment—or a Warning Sign?

Jessica Zeff
Apr 3
3 min read

Flat illustration showing phishing simulations with repeated email warning icons and a highlighted user, representing phishing simulations as a compliance risk indicator tied to workforce behavior.

Most compliance and security professionals agree: phishing simulations are one of our most valuable awareness tools. They give us a safe way to test vigilance, reinforce habits, and open up critical dialogue across the workforce.

But let’s be honest—there’s a persistent tension.

If we’re using phishing simulations to spot human risk, what happens when the same person keeps failing?

That’s the uncomfortable question many of us wrestle with: At what point does repeated failure stop being educational and start being a true indicator of risk? And what, exactly, should we do about it?

Phishing Failures as a Risk Indicator: Yes or No?

For many organizations, the answer is increasingly yes. Repeat simulation failures do serve as a formal human risk indicator.

Here’s why:

Clicking links in real-world phishing emails is still the leading cause of healthcare data breaches and ransomware attacks.
Regulatory bodies (like OCR and state AGs) don’t care if it was an accident. They care if we had reasonable safeguards in place.
If a staff member fails five simulations in a row—should they still have the same data access as someone who’s never failed one?

It’s not about shame or blame—it’s about risk stratification and proactive control.

What Threshold Triggers Escalation?

This is where policies vary.

Some organizations take a strict statistical approach—track simulation failures per person, per department, per time frame. Set thresholds like:

2 failures = remedial training
3 failures = manager coaching
4+ failures = HR involvement or access review

Others take a departmental approach—every time someone fails a simulation, the whole team gets assigned a refresher course. That method banks on peer pressure and shared accountability.

Still others adopt the “training fatigue model”: if you fail the same simulation multiple times, you get the same course multiple times. Eventually, the theory goes, you’ll either learn—or get tired of being assigned it.

The truth? There’s no magic number. But doing nothing sends a dangerous message.

Who Decides What to Do?

In well-aligned organizations, compliance and security (and even HR and Legal) work together to define escalation thresholds. This ensures:

Security teams understand the legal and regulatory expectations
Compliance officers understand the technical impact of real-world failures
Risk decisions are made collaboratively—not in silos

If only one team is making the call, you risk either over-correcting with punitive actions or under-reacting to serious risk behavior.

The sweet spot? A joint policy that includes:

Risk thresholds for individuals and departments
Defined roles for IT, compliance, HR, and supervisors
Remediation options (training, coaching, access limitations, etc.)
Documentation standards for each step

Coaching vs. Discipline: Where’s the Line?

Most of us prefer a coaching-first culture. We want staff to feel safe reporting phishing attempts. We want them to learn from mistakes—not hide them.

But at the same time, HIPAA doesn’t care about good intentions. If a repeat offender causes a breach, the response from regulators won’t be warm and fuzzy.

That’s why a tiered model is ideal:

Training and refreshers for the first few failures
Manager coaching to uncover barriers (e.g., distractions, knowledge gaps)
Access reviews or restrictions for persistent noncompliance
HR involvement only after other steps fail

Culture Eats Technology for Breakfast

I love that phrase. Because it’s true.

You can implement the best email filters, the most advanced firewalls, and AI-driven threat detection—but if your staff culture isn’t security-minded, it only takes one click to bring everything down.

The most technical risk in the organization is often still the most human.

So what do we do?