This chapter covers phishing simulations and security awareness training, a critical component of the Security Program Management domain for SY0-701 (Objective 5.6). Phishing remains the most common initial attack vector, and organizations must measure and improve their human firewall through realistic testing. You will learn how simulations work, how to implement them safely, and how to interpret results to drive security culture change. This chapter maps directly to exam objective 5.6: Explain the importance of security awareness and training, with a heavy focus on phishing simulations as a key metric.
Jump to a section
Phishing simulations are like fire drills in a large office building. In a real fire, panic, smoke, and confusion can lead to people taking unsafe actions — like using the elevator instead of the stairs. To prevent this, building management conducts unannounced fire drills. They pull the alarm, observe how employees evacuate, and later review who went to the correct assembly point versus who hesitated or used the elevator. The goal is not to punish but to condition the correct response so that in a real fire, muscle memory takes over. Similarly, phishing simulations send fake malicious emails to employees. The security team tracks who clicks, who reports, and who ignores. Just as a fire drill reveals blocked exits or faulty alarms, a phishing simulation reveals which employees need more training and which security controls (like email filters) are failing. The mechanism is identical: controlled, safe exposure to a realistic threat, followed by measurement, feedback, and repetition to build automatic, correct behavior. Without simulations, employees face real attacks with no practice; with simulations, they develop a conditioned response: pause, inspect, report, delete. The key mechanistic parallel is that both drills are designed to be indistinguishable from the real event (except for safety controls) to maximize learning transfer.
What Are Phishing Simulations?
Phishing simulations are controlled, authorized attempts by an organization's security team to deceive employees into interacting with fake phishing emails. The goal is to assess the current level of phishing susceptibility, identify high-risk individuals or departments, and reinforce training through immediate feedback. For SY0-701, you must understand that simulations are a form of *security awareness training* — not a technical control like SPF or DMARC. They measure the human element.
How Phishing Simulations Work Mechanically
The process follows a structured cycle: 1. Planning: Define scope (all employees, specific departments, or high-risk roles like finance). Choose simulation types: credential harvesting (fake login page), malware attachment (dummy payload), or data entry (fake form). Set frequency (quarterly, monthly). Obtain explicit approval from management and legal — unauthorized testing is illegal. 2. Campaign Creation: Use a simulation platform (e.g., KnowBe4, PhishMe, GoPhish) to craft emails. Templates mimic real threats: fake shipping notifications, password reset requests, HR policy updates. The email includes a link or attachment. The link points to a landing page that records clicks; the attachment is a benign file (e.g., a text file or PDF) that triggers a tracking mechanism when opened. 3. Launch: Emails are sent in waves to avoid overwhelming the SOC. Timing may mimic real attack patterns (e.g., Monday morning, end of month). 4. Tracking: The platform logs each recipient's action: ignored, clicked link, entered credentials, opened attachment, or reported as phishing. Reporting is key — employees who use the built-in reporting button (e.g., Outlook "Report Phishing") demonstrate positive behavior. 5. Reporting: Dashboards show click rates, credential submission rates, and reporting rates. Results are broken down by department, geography, and job role. 6. Remediation: Employees who fail receive just-in-time training — a short module explaining what they did wrong and how to spot the red flags. Repeat offenders may get one-on-one coaching or disciplinary action (if policy dictates). 7. Reassessment: Run another simulation after training to measure improvement.
Key Components and Variants
- Simulation Types: - *Credential Harvesting*: Email with a link to a fake login page (e.g., Microsoft 365 lookalike). The page captures entered credentials but does not store them — the platform simply records that credentials were submitted. - *Malware Attachment*: Email with an attachment (e.g., a Word document with macros disabled, or a ZIP file containing a harmless executable). Opening the attachment triggers a tracking pixel or a call back to the simulation server. - *Spear Phishing*: Targeted simulation using the recipient's name, job title, or recent events (e.g., "Your expense report from your trip to Chicago is overdue"). - *Smishing/Vishing*: SMS or voice call simulations (less common but tested). - Metrics: - *Click Rate*: Percentage of users who clicked the link. - *Credential Submission Rate*: Percentage who entered credentials. - *Reporting Rate*: Percentage who reported the email via the official channel. - *Time to Report*: Average time between receiving the email and reporting it. - Safe Design: Simulations must not cause harm. Dummy payloads must be inert (e.g., a .txt file with the word "simulation"). Landing pages must not actually capture real credentials — they should simply log the action. The simulation platform must have a kill switch to immediately stop a campaign if it escalates unexpectedly.
How Attackers Exploit and Defenders Deploy
Attackers use phishing because it's cheap and effective. They exploit human trust, urgency, and authority. Defenders deploy simulations to:
Identify vulnerable users before attackers do.
Test security controls: Are email filters blocking obvious phishing? Do users see the warning banners? Are external email tags displayed?
Build a security culture where reporting is rewarded.
Real Tool Examples
GoPhish: Open-source phishing framework. A typical campaign setup command in GoPhish's API:
POST /api/campaigns
{
"name": "Q1 2025 Phishing Test",
"groups": [1],
"template": {
"name": "Password Reset",
"subject": "Action Required: Your password expires in 24 hours",
"html": "<html>...</html>",
"text": "Please click here to reset your password: {{.URL}}"
},
"page": {
"name": "Microsoft Login Clone",
"html": "<html>...</html>",
"capture_credentials": true,
"capture_passwords": true
},
"smtp": {
"host": "smtp.yourdomain.com",
"from_address": "noreply@yourdomain.com"
},
"launch_date": "2025-01-15T09:00:00Z"
}KnowBe4: Commercial platform. Administrators create campaigns via a web UI. The platform provides pre-built templates based on real-world phishing kits.
PhishAlert Button: Many platforms integrate with Outlook or Gmail to add a "Report Phishing" button. When a user clicks it, the email is forwarded to the SOC and the simulation platform records a positive action.
Standards and Best Practices
NIST SP 800-53 Rev. 5: Control AT-2 (Awareness Training) and AT-3 (Role-Based Training) recommend phishing simulations as part of continuous improvement.
CIS Control 17: Implement a Security Awareness and Training Program. Specifically, CIS recommends conducting simulated phishing attacks to measure effectiveness.
PCI DSS v4.0: Requirement 12.6.1 mandates security awareness training that includes phishing simulations for all personnel.
ISO 27001: Annex A.7.2.2 requires information security awareness, education, and training. Simulations are a common method to demonstrate competence.
Common Pitfalls
Testing Without Training: Running simulations without follow-up training is punitive and ineffective. SY0-701 emphasizes that simulations are a training tool, not a gotcha.
Overly Obvious Simulations: If emails are too easy to spot (e.g., terrible grammar, obvious fake URLs), employees learn to ignore them but miss sophisticated attacks.
Failure to Exclude High-Risk Roles: Executives and IT staff should be included — attackers target them specifically. However, some organizations exempt them, creating blind spots.
No Legal Approval: Unauthorized simulations can violate anti-hacking laws (e.g., CFAA) or employee privacy rights. Always get written approval from legal and HR.
How to Interpret Results
A click rate of 5-10% is typical for a first simulation. A rate above 20% indicates urgent need for training.
Reporting rate should be above 50% after training. If users click but don't report, they lack awareness of reporting channels.
Repeat clickers (users who fail multiple simulations) need targeted intervention. They may be a risk for credential theft or malware infection.
Exam Relevance
For SY0-701, understand that phishing simulations fall under *Security Awareness and Training* (Objective 5.6). The exam may present a scenario where an organization wants to measure the effectiveness of security awareness training — the correct answer is to conduct a phishing simulation. Wrong answers might include "implement an email filter" (technical control) or "conduct a vulnerability scan" (different purpose). Also know that simulations must be *authorized* and *safe* — any answer suggesting unauthorized testing or using real malware is incorrect.
Obtain Authorization and Define Scope
Before any simulation, get written approval from management, legal, and HR. Define the scope: which employees, departments, and locations will be tested. Determine the frequency (e.g., quarterly) and the types of simulations (credential harvesting, attachment, spear phishing). Also define success metrics: target click rate, reporting rate, and time to report. Document the policy that governs simulations, including consequences for repeat failures. Without authorization, the simulation could be considered illegal hacking or harassment. For SY0-701, remember that unauthorized testing is a violation of policy and potentially law.
Select or Create Simulation Templates
Choose templates that mimic real-world threats. Use the simulation platform's library or create custom emails. Ensure the email has realistic content, sender address, and formatting. For credential harvesting, set up a landing page that looks like a legitimate login page (e.g., Microsoft 365). The page should capture the fact that credentials were entered but not store them. For attachments, use a benign file (e.g., a .txt file with a tracking pixel). Configure the tracking mechanism: a unique URL for each recipient to track clicks, and a callback for attachment opens. Test the simulation internally first to ensure it works as expected and does not trigger real security alerts.
Launch the Simulation Campaign
Schedule the launch time. Avoid obvious times like April Fools' Day. Send the emails in waves to avoid overwhelming the SOC. Monitor the campaign in real time using the platform's dashboard. Look for unexpected spikes in clicks or reports. Have a kill switch ready: if the simulation triggers a real incident response (e.g., the SOC starts blocking IPs), immediately stop the campaign and communicate with the SOC. Document the launch time, number of recipients, and any anomalies. For SY0-701, know that simulations should be realistic but controlled — the kill switch is a critical safety mechanism.
Track and Analyze Results
After the campaign ends, review the metrics: total clicks, credential submissions, attachment opens, and reports. Break down by department, role, and location. Identify high-risk groups (e.g., finance, HR) and repeat clickers. Compare results to previous campaigns to measure improvement. Generate a report for management. Include graphs showing click rates over time. Highlight positive behaviors, such as high reporting rates. For the exam, understand that the primary metric is the *reporting rate* — a high reporting rate indicates effective training, even if some users click initially.
Deliver Just-in-Time Training
Immediately after the campaign, send training to users who clicked or submitted credentials. The training should be short (2-5 minutes) and explain what they did wrong, the red flags they missed, and how to spot future attacks. Use the simulation platform's built-in training modules or create custom content. For users who reported the email, send positive reinforcement (e.g., a thank-you note). Track training completion. For repeat offenders, escalate to one-on-one coaching or disciplinary action per policy. For SY0-701, know that just-in-time training is more effective than annual training because it is delivered in context.
Reassess and Iterate
Schedule the next simulation after a reasonable interval (e.g., 3 months). Use different templates to avoid pattern recognition. Compare results to previous campaigns to measure improvement. Adjust training content based on common mistakes. If click rates are declining, consider more sophisticated simulations (e.g., spear phishing with context). If reporting rates are low, emphasize the reporting mechanism in training. Document lessons learned and update the security awareness program. For the exam, remember that phishing simulations are a continuous process, not a one-time event.
Scenario 1: Finance Team Falls for Spear Phishing
A SOC analyst at a mid-sized company reviews the quarterly phishing simulation report. The overall click rate is 8%, but the finance department has a 35% click rate on a spear-phishing email that references an invoice from a known vendor. The analyst uses the simulation platform (KnowBe4) to drill down: 12 out of 34 finance employees clicked the link, and 5 entered credentials on the fake login page. The analyst immediately schedules just-in-time training for those 12 users. The training module explains how the email used social engineering (urgency, authority of a vendor relationship) and shows the red flags: the sender domain was slightly misspelled (vend0r.com vs vendor.com). The analyst also escalates to the CFO, who mandates a 30-minute live training for the entire finance team. Next quarter, the finance department's click rate drops to 10%. Common mistake: The analyst might blame the email filter, but the simulation was designed to bypass filters. The correct response is to focus on training, not technical controls.
Scenario 2: High Reporting Rate Reveals Strong Security Culture
A large enterprise runs a simulation where the email claims to be from the CEO asking for urgent gift card purchases. The simulation platform (PhishMe) shows a click rate of 2% — but a reporting rate of 85%. The SOC team notices that several reports came in within 5 minutes of the email being sent. The analyst uses the SIEM to correlate: the reporting button forwards the email to a dedicated mailbox, and the SIEM logs each report. The analyst creates a positive report for management, highlighting the rapid reporting. The security team uses this data to identify which departments have the fastest response times and shares best practices. Common mistake: Some managers might focus only on the 2% click rate and ignore the high reporting rate. The correct interpretation is that the culture is strong — users are suspicious and know how to report.
Scenario 3: Simulation Triggers Real Incident Response
During a simulation, the SOC receives an alert from the email security gateway about a suspicious link in an internal email. The SOC analyst investigates and finds that the link points to a known simulation platform's domain. The analyst checks the simulation schedule and confirms a campaign is active. The analyst documents the event and closes the ticket as a false positive. However, the analyst notices that the simulation email was sent from an external domain that is not whitelisted, causing the gateway to block it for some users. The analyst reports this to the security engineer, who adds the simulation domain to the whitelist to ensure future campaigns are not blocked. Common mistake: The analyst might escalate the alert as a real phishing incident, causing unnecessary panic. The correct response is to verify the simulation schedule first and then address the whitelisting issue.
What SY0-701 Tests on This Objective
Objective 5.6: Explain the importance of security awareness and training. Sub-objectives include:
Phishing simulations (types, metrics, safe implementation)
Role-based training (e.g., developers, executives)
Reporting mechanisms (e.g., report phishing button)
Frequency and continuous improvement
Common Wrong Answers and Why Candidates Choose Them
"Implement advanced email filtering" — Candidates see "phishing" and think of technical controls. But the question asks about *measuring* awareness, not preventing attacks. Filtering is a technical control (Objective 3.2), not a training tool.
"Conduct a vulnerability scan" — Vulnerability scans find technical weaknesses (missing patches, open ports). They do not measure human behavior. Candidates confuse "vulnerability" with "human vulnerability."
"Run a password cracking tool" — This tests password strength, not phishing awareness. Candidates might think testing passwords is similar to testing employee security habits.
"Terminate employees who click" — This is punitive and not part of a training program. The exam emphasizes positive reinforcement and training, not punishment.
Specific Terms and Acronyms
Phishing simulation: The exact term used on the exam.
Click rate: Percentage of users who click a link.
Reporting rate: Percentage who report the email.
Just-in-time training: Training delivered immediately after a failed simulation.
Smishing: SMS phishing (may appear in a scenario).
Vishing: Voice phishing.
Spear phishing: Targeted phishing using personal information.
Whaling: Phishing targeting executives.
Common Trick Questions
*Scenario*: An organization wants to test if employees can identify phishing emails. *Answer*: Conduct a phishing simulation. *Trap*: "Send a real phishing email" — wrong because it's unauthorized and dangerous.
*Scenario*: An organization wants to reduce the number of employees who click on phishing links. *Answer*: Combine simulations with training. *Trap*: "Block all phishing emails" — impossible; some will always get through.
*Scenario*: An employee reports a suspicious email. *Best response*: Thank the employee and investigate. *Trap*: Ignore the report because it's probably a simulation.
Decision Rule for Eliminating Wrong Answers
If the question asks about *measuring* or *improving* human security behavior, eliminate any answer that is purely technical (firewall, IDS, email filter, antivirus). Look for answers involving training, simulations, or policy. If the question asks about *safe* simulation, eliminate any answer that involves real malware, real credential harvesting, or unauthorized testing.
Phishing simulations are a key component of security awareness training, not a technical control.
The primary metrics are click rate, credential submission rate, and reporting rate.
Simulations must be authorized, safe, and followed by just-in-time training.
Reporting rate is a positive metric; high reporting indicates effective training.
Common simulation types: credential harvesting, malware attachment, spear phishing.
NIST SP 800-53 and CIS Control 17 recommend phishing simulations.
Never use real malware or unauthorized testing in simulations.
Repeat clickers need targeted intervention, not immediate termination.
Phishing simulations measure the effectiveness of security awareness programs.
SY0-701 tests the difference between technical controls and training controls.
These come up on the exam all the time. Here's how to tell them apart.
Phishing Simulation
Measures human susceptibility to social engineering
Uses fake emails and landing pages
Results in training and awareness metrics
Requires authorization from management and legal
Focuses on people, not technology
Vulnerability Scan
Measures technical weaknesses in systems and software
Uses automated tools to probe ports and services
Results in patching and configuration changes
Requires authorization from system owners
Focuses on technology, not people
Mistake
Phishing simulations are the same as penetration tests.
Correct
Penetration tests focus on technical vulnerabilities (network, application), while phishing simulations focus on human behavior. Pen tests may include social engineering, but the primary goal of a simulation is to measure and improve awareness, not to find technical flaws.
Mistake
If users click on a simulation link, they will be fired.
Correct
The purpose of simulations is to train, not punish. Firing employees for clicking undermines the program because users will hide mistakes. Best practice is to provide just-in-time training and escalate only for repeat offenders after multiple interventions.
Mistake
A low click rate means the organization is secure against phishing.
Correct
A low click rate is good, but it does not guarantee security. Attackers use increasingly sophisticated techniques (e.g., spear phishing, vishing) that may not be tested. Also, a single simulation may not represent all attack vectors. Continuous assessment is needed.
Mistake
Simulations should use real malware to be realistic.
Correct
Using real malware is dangerous and illegal. Simulations must use benign payloads (e.g., text files) that cannot cause harm. Realism comes from email content and social engineering, not from malicious code.
Mistake
Only non-technical employees need phishing simulations.
Correct
Technical employees (IT, developers) are often targeted because they have elevated access. They should be included in simulations. In fact, spear phishing often targets IT staff to gain credentials for privileged accounts.
A phishing simulation is a controlled, authorized attempt by an organization to send fake phishing emails to employees to measure their ability to recognize and avoid phishing attacks. The goal is to identify vulnerable users, provide just-in-time training, and improve overall security awareness. Simulations are a key part of a security awareness program and are recommended by frameworks like NIST SP 800-53 and CIS Controls. For the exam, remember that simulations are a training tool, not a technical control.
Common metrics include click rate (percentage of users who clicked a link), credential submission rate (percentage who entered credentials on a fake page), attachment open rate (percentage who opened an attachment), and reporting rate (percentage who reported the email via the official reporting channel). Time to report is also tracked. For SY0-701, focus on click rate and reporting rate as the most important indicators of awareness program effectiveness.
Best practice is to conduct simulations quarterly, but frequency depends on organizational risk. High-risk industries (finance, healthcare) may run monthly simulations. The key is to vary the templates and use realistic scenarios to avoid pattern recognition. For the exam, know that continuous assessment is more effective than a one-time test. NIST recommends ongoing awareness activities, including periodic simulations.
Provide just-in-time training immediately after the simulation. Explain what the employee did wrong, the red flags they missed, and how to spot future attacks. For first-time failures, training is sufficient. For repeat failures, escalate to one-on-one coaching or disciplinary action per policy. Never terminate an employee for a single failure. The exam emphasizes training over punishment.
Yes, many organizations use third-party vendors like KnowBe4, PhishMe, or Proofpoint to run simulations. Outsourcing provides expertise, pre-built templates, and reporting. However, the organization must still ensure proper authorization and data privacy. For the exam, know that the responsibility for the program remains with the organization, even if the simulation is outsourced.
Phishing simulation focuses specifically on human behavior and awareness. Penetration testing is a broader assessment that may include social engineering (like phishing) but also technical attacks (network, application, physical). The primary goal of a pen test is to find vulnerabilities, while the goal of a simulation is to train users. For SY0-701, they are separate objectives: simulations under 5.6, pen testing under 4.2.
Simulations must be authorized in writing by management and legal. Unauthorized simulations could violate computer fraud laws (e.g., CFAA in the US) or employee privacy rights. Also ensure that the simulation does not cause harm (e.g., no real malware). For the exam, any answer suggesting unauthorized testing is incorrect. Safe design and legal approval are mandatory.
You've just covered Phishing Simulations and Awareness — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?