Most organizations run phishing simulations a few times a year and feel reassured when pass rates look good. But new research from ISACA and findings from Gartner’s March 2026 Security and Risk Management Summit in Sydney paint a more troubling picture: the simulations themselves may be the problem. Outdated templates, unrealistic scenarios, and a compliance-first mindset are leaving employees underprepared for the attacks actually being launched against them today.
A Wake-Up Call from the World’s Leading IT Governance Association
In a 2026 industry brief, ISACA issued a frank critique of how most organizations approach phishing tests. The core problem is template staleness. Many security teams are still deploying simulations built around decade-old attack patterns, complete with obvious grammatical errors and generic sender names. When employees spot these easily, organizations celebrate. But real attackers stopped sending those emails years ago.
Contemporary phishing campaigns are AI-enhanced, industry-specific, and delivered across multiple channels. WhatsApp, SMS, LinkedIn messages, and fake CAPTCHA pages are now standard delivery vectors. ISACA notes that WhatsApp alone sees 150 billion messages exchanged daily, making it a rich and largely unmonitored channel for social engineering. Phishing tests that only arrive by email no longer reflect the actual attack surface your employees navigate every day.
Employees Are Already Working Around the Controls You Rely On
The problem runs deeper than simulation quality. Gartner researchers presenting at the March 2026 Sydney summit revealed that 41% of employees intentionally bypass cybersecurity controls. Not because they are reckless, but because the controls get in the way of getting work done. Gartner described human conduct as “the greatest and most neglected opportunity to reduce cyber risk in any organization.”
This creates a difficult reality for security teams. You can train employees to recognize phishing emails while simultaneously having a workforce that circumvents the technical defenses designed to catch the attacks they miss. Without addressing the underlying behavioral gap, high simulation pass rates may be measuring something that does not translate to real-world resilience.
What Better Phishing Simulations Actually Look Like
ISACA’s guidance for 2026 offers a clear direction. Templates need to mirror current criminal tactics, tailored to your industry and local context. A logistics company should test employees with fake shipping notification lures. A financial firm should simulate credential-harvesting emails that look like routine requests from a familiar regulator. Scenarios that feel plausible and specific teach employees something useful. Scenarios that feel like obvious tests teach them nothing.
Timing and format should also shift. Real attackers do not send everyone in a company the same email on the same Tuesday morning. Replacing periodic batch campaigns with staggered, ongoing simulations more accurately mirrors actual adversarial behavior and keeps preparedness from fading between test cycles.
Perhaps most importantly, ISACA explicitly recommends eliminating punitive responses to failed tests. Employees who fear embarrassment or discipline are far less likely to report suspicious activity they are uncertain about. That reporting behavior is exactly what you need most when a real attack arrives.
Connecting Simulations to Lasting Behavior Change
Effective phishing testing should be embedded within a security awareness training program that builds skills continuously rather than once a year. Organizations using adaptive, ongoing training approaches see dramatically better outcomes. One industry study found that employees enrolled in behavior-focused training reduced malicious clicks by 87% over six months and improved suspicious-email reporting by a factor of six.
It is also worth asking what your simulation data is actually telling you. High pass rates on easy tests are not meaningful signal. The more useful insight comes from connecting results to your human risk management framework, accounting for behavior patterns, role-based exposure, and access level rather than treating a single click as the only variable that matters.
Organizations that will build genuine cyber resilience in 2026 are those treating phishing simulations as a diagnostic tool for understanding where human behavior creates exploitable risk, not a box to check before the next audit.
