Phishing Simulations Aren't Enough: The Case for Continuous Behavior Monitoring
Phishing simulations have become the default measure of human risk. Send fake emails, track who clicks, report the number.
Clean. Simple. Dangerously incomplete.
They test one vector, one scenario, at one point in time. Meanwhile, employees make dozens of risky decisions every day that no simulation will ever catch.
The Blind Spot
Simulations measure: can this person spot a fake email?
They don’t measure:
- Public file sharing (“Anyone with the link”)
- Unapproved OAuth apps connected to company data
- Calendars exposing meeting titles, attendees, strategy
- Credentials stored in shared documents
- Personal email used for work files
These happen every day. Every organization. And they cause more breaches than phishing links.
Four Behaviors Nobody Is Testing
1. Public File Sharing
Employee creates a Google Doc. Clicks “Anyone with the link.” Fastest option. Done.
That document is now indexed by search engines. No simulation detects this.
2. Shadow IT
The average org has hundreds of SaaS apps, many connected by employees without IT approval. Each is a supply chain vulnerability.
3. Calendar Exposure
A public calendar reveals your CFO’s “Board Presentation - Q2 Financials” meeting. That’s a social engineering goldmine.
4. Misconfigured Defaults
New employee joins. Drive defaults to “Anyone in the organization.” Every document they create is overshared. Nobody notices.
These aren’t mistakes of knowledge. They’re mistakes of configuration that persist because nobody is watching.
Simulations vs. Continuous Monitoring
| Phishing Simulations | Continuous Monitoring |
|---|---|
| One vector (email) | All SaaS behaviors |
| Quarterly | 24/7 |
| Click rates | Real behavior patterns |
| Can be gamed | Observes actual actions |
| Snapshot | Trend lines |
| Reactive | Proactive |
Employees learn to spot the test, not the threat. Click rates improve because they recognize simulations, not because they’re more vigilant.
Goodhart’s Law: when a measure becomes a target, it ceases to be a good measure.
How Continuous Monitoring Works
1. Observe - Connect to Google Workspace, Microsoft 365, Slack. Monitor file sharing, OAuth apps, calendar exposure, authentication posture.
2. Correct - When a risky behavior is detected, deliver an instant nudge via Slack:
“You shared ‘Q2 Revenue Forecast’ publicly. Your policy requires specific recipients only. Fix it here - 10 seconds.”
3. Reinforce - Follow-up quizzes at spaced intervals, tailored to the specific behavior. Over weeks, the secure path becomes the default path.
Better Metrics
Stop reporting click rates. Start measuring:
- % of files with appropriate access controls
- MFA adoption across all platforms
- Unapproved OAuth apps with company data access
- Time to remediate a flagged behavior
- Trend lines showing improvement over months
Bottom Line
Phishing simulations ask: “would this person click a link?”
The real question: “what is this person doing right now that could cause a breach?”
The answer is in their sharing settings, their OAuth permissions, their calendar. Not in a fake email.
Simulations are a starting point. Continuous monitoring completes the picture.
Sources: Verizon DBIR 2024 · Gartner Human Risk Management · UChicago - Training Gaps