Question: Are phishing or social-engineering simulations conducted to test staff vigilance?
Why This Matters
Practical simulations turn abstract awareness into measurable behavior change and reveal weak spots in everyday practices.
Maturity
0 — Unaware
No testing of user awareness.
No testing of user awareness.
1 — Ad Hoc
Occasional manual phishing emails by IT.
Occasional manual phishing emails by IT.
2 — Defined
Simulations scheduled quarterly with defined metrics.
Simulations scheduled quarterly with defined metrics.
3 — Managed
Results fed back into targeted training modules.
Results fed back into targeted training modules.
4 — Integrated
Scenarios include vishing, smishing, and USB baiting.
Scenarios include vishing, smishing, and USB baiting.
5 — Optimized
Automated adaptive simulations based on user behavior.
Automated adaptive simulations based on user behavior.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Run basic manual phishing test. |
| 1 → 2 | Schedule quarterly campaigns with metrics. |
| 2 → 3 | Use results to trigger micro-training. |
| 3 → 4 | Add multi-vector social engineering scenarios. |
| 4 → 5 | Automate adaptive testing per user risk score. |
Enablers
- People: IT Security Team, Awareness Lead
- Process: Plan → Simulate → Measure → Educate
- Technology: Phishing-simulation platform, reporting dashboard
Evidence
- Simulation records
- Click-rate metrics
- Remediation training proof
KPIs
- Number of campaigns per year
- Click rate trend (month-on-month)
- Number of users who reported phish
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Simulation | GoPhish | Free open-source framework |
| Tracking | Airtable | Campaign logs |
| Training | Google Forms | Follow-up quiz |
Common Pitfalls
- Public shaming of employees
- No remedial training after failures
- Testing too predictable
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.6.3 (User Responsibilities) |
| DPDP Act 2023 | Sec 10 (Accountability and Awareness) |
| NIST CSF 2.0 | PR.AT / DE.AE |
| NIRMATA Mapping | AC-Q06 builds behavioral resilience through testing. |