The Problem: False Sense of Security
Many organizations pride themselves on conducting regular phishing awareness campaigns and red teaming exercises. However, there’s a common flaw in how these exercises are executed: they’re not truly realistic.
In phishing campaigns, for example, word often spreads internally before the campaign even begins. Managers, either knowingly or unknowingly, leak information to their teams—warning them to be extra cautious about specific emails. The result? Employees become hyper-aware only during that period, leading to artificially high success rates in avoiding phishing attempts.
Similarly, in red teaming exercises, the Security Operations Center (SOC) is often tipped off beforehand. This allows analysts to be on high alert, making them more diligent in identifying potential threats. While this might seem like a good thing, it creates a false sense of security by inflating the SOC’s actual readiness.
In both cases, the outcomes fail to reflect reality. Instead of accurately assessing an organization’s cybersecurity posture, these exercises turn into performative drills that give senior management a misleading impression of security effectiveness.
Why This is Dangerous
- Employees Learn the Wrong Lesson
- When staff are warned about phishing campaigns, they only stay alert for that specific period. But real cyberattacks don’t come with a warning. A false sense of preparedness can be dangerous when an actual phishing attempt occurs.
- SOC Readiness is Artificially Inflated
- If the SOC expects a red team exercise, they behave differently. But real attackers don’t schedule their attacks. If the SOC can’t detect an attack under normal conditions, it highlights a gap in their monitoring and response capabilities.
- Real Attacks are Targeted
- A real phishing attack won’t hit everyone at once—it might target a specific group or even just one individual (spearphishing). If phishing exercises are broad and predictable, they don’t prepare employees for realistic threats. Attackers often go after high-value targets such as executives, finance teams, or IT administrators, making it crucial to train and test targeted individuals separately.
- False Metrics Lead to Poor Decision-Making
- Senior management relies on these exercise results to evaluate security maturity. If the numbers are skewed, they may assume everything is secure—leading to underinvestment in critical security areas.
How to Fix This
- Make Phishing Campaigns Truly Unannounced
- Only a select few should know about an upcoming phishing exercise, and leaks must be discouraged. The goal is to assess employees under normal circumstances, not under artificial alertness.
- Multiple Targeted Phishing Runs
- Instead of a one-time phishing test affecting everyone at once, organizations should conduct multiple smaller phishing campaigns across different groups.
- For example, test one person per department per round. This prevents widespread alerts and mimics real-world attacks, which often target a handful of employees instead of an entire company at once.
- Randomize Red Teaming Exercises
- Red team exercises should be unpredictable. The SOC should not know when an attack simulation will occur. This allows the organization to genuinely measure how well it detects and responds to threats in real-time.
- Create a Culture of Realism, Not Performance
- Security awareness should be ongoing, not something employees “perform” during testing periods. Cyber threats don’t wait for assessments, so neither should security training.
Conclusion
Phishing and red teaming exercises are meant to expose weaknesses—not reinforce a false sense of security. Organizations must shift from performance-based exercises to realistic threat simulations. Only then can they truly understand their cybersecurity posture and make improvements where needed.
Want a stronger security culture? Stop giving people a heads-up.
Kyl on security 
Leave a comment