Cyber Security Simulation Training: How it Works + Best Practices

This guide will walk you through the most pervasive attack techniques currently being used so that you can incorporate them into your cyber security simulation training.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
October 18, 2024
Written by
Maxime Cartier
Fact checked by

Employees present one of the most significant risks to the cybersecurity of any business.

Human errors can (and very often do) lead to severe data breaches - losing organizations millions.

And phishing and social engineering remain the number one cause for malicious breaches in organizations.

New attack types are always emerging...

Whether its attackers sending fake emails and cloning official login web pages or combining modified files with regular zipped files to trick users.

But to stop attacks when they arrive in their inboxes, employees need knowledge and practice.

To train your employees on threats, you need to send them attack simulations.

Once they start recognizing simulated attacks, they will start recognizing real-life malicious threats too.

Creating a human firewall is one of the most impactful ways to lower your human risk.

But where do you start when you want to make simulations part of your cybersecurity training?

What type of attack simulations should you create?

And how can your security team build the best attack simulations for cybersecurity training?

This guide will walk you through the most pervasive attack techniques currently being used so that you can incorporate them into your training exercises and simulated attacks.

How does cyber security simulation training work?

Cyber security simulation training uses fake phishing emails to test and train employees on how to identify and respond to real phishing attempts.

Customized phishing simulation emails designed to mimic real-world scenarios are sent to employees (without prior notice).

You can then monitor employees' interaction with these emails - who opens them, clicks on links, downloads attachments, or reports them as suspicious.

Employees who miss simulated phishing emails can then receive feedback and education on how to spot phishing attempts...

And the results of your simulations can be used to report on your organization's cybersecurity posture and address vulnerabilities. 

Ideally, simulations would be used regularly to maintain vigilance and adapt to new phishing tactics.

Awareness-based training doesn't reduce risk

Want to measurably reduce cyber risk?

Then you'll need to move beyond traditional, compliance-driven security awareness training.

To reducing risk, you need to change your employees habits.

And to achieve this, you'll need to provide hands-on experience spotting and reporting threats.

Cybersecurity simulation training gives you the ability to test employees in a controlled environment and give them a real feel for what real threats look like.

Just drilling best practices into employees won't form habits...

But regular practice identifying a wide range of simulated attacks will have real, tangible impact on how employees behave.

11 types of attacks to use in your cyber security simulation training

Around one-third of all data breaches involve phishing.

And around 75% of the business worldwide experience a phishing attacks each year.

Employees within your organization access business-critical information, client data, financial information, and other confidential data every day...

And so when cybercriminals steal employees' information, such as login details and account passwords, things can turn ugly.

so whether your employees work remotely or in a hybrid office, you'll need to make sure your anti-phishing training covers the cybersecurity threats below to protect your organization against all eventualities 👇

1. Domain Spoofing

What is it?

Domain spoofing is a tactic used by cybercriminals to manipulate email recipients into believing that a message is from a legitimate sender or organization.

Domain spoofing is one of the most common types of phishing attacks.

More than 96% of companies suffer from various types of domain spoofing.

Bad actors will forge email addresses to mimic a trusted domain, often that of a well-known company, government agency, or financial institution.

Domain spoofing can be classified into:

  • Email spoofing: This is when cybercriminals send emails using false domain names appearing legitimate.
  • Website spoofing: They may also set up websites that look authentic by using attractive visual designs, branding, logos, and styling.

These emails and websites will usually ask users to enter their personal information, such as company login ID, passwords or credit card details.

Here what the domain spoofing process looks like 👇

  1. Trusted domain targeted: Attackers identify a target domain that is widely recognized and trusted by the intended recipients.
  2. Spoofed email created: Emails are then crafted to appears as if they are from the target domain. This involves spoofing the sender's email address to make it look authentic.
  3. Malicious attachments or link added: The spoofed email will likely prompt the recipient to take action, such as clicking on a malicious link, downloading an infected attachment, or providing sensitive information.
Domain spoofing example.webp
Source: Securelist

What should your training cover?

Besides implementing cybersecurity, such as sender policy framework (SPF), DomainKeys IdentifiedMail (DKIM) etc, you'll need must train employees to identify and prevent spoofing attacks.

Recognizing spoofed emails: Your training program should teach employees how to spot the signs of domain spoofing in emails (things like discrepancies in sender email addresses, spelling and grammar errors, requests for sensitive information, or urgent calls to action).

Verifying sender identities: Employees can be trained to verify the authenticity of sender identities and scrutinizing the content of emails for signs of phishing or impersonation. An effective training programs will provide guidance on how to perform these verification checks effectively and accurately.

2. Spear Phishing

What is it?

Spear phishing is a targeted form of attack in which malicious actors tailor their phishing attempts to specific individuals or organizations.

Around 50% of large organizations are targeted with spear phishing every year, receiving an average of five spear-phishing emails per day.

Unlike your traditional phishing threat that casts a wide net, spear phishing involves careful research and customization to maximize the likelihood of success.

At its core, these attacks rely on social engineering tactics to manipulate recipients into taking a desired action, such as clicking on a malicious link, downloading malware-infected attachments, or divulging sensitive information.

Spear phishing attacks use targeted open-source intelligence (OSINT) to gain unauthorized access to organization information via the website and social media.

Hackers will perform extensive social engineering to steal financial information and other sensitive data from the target employees.

Then, they'll target the employees using real names and job designations, so that the email looks like its from a legitimate sender.

The attackers access your social media accounts to get their real name, email ID, hometown, and other visited locations.

Once the attackers have all these personal details, they disguise themselves as acquaintances of the targets, such as co-workers and friends, to lure them into sharing sensitive information.

Note: This is why employees with an in-depth understanding of cyber security don’t tend share their login details within and outside the office.

Spear phishing.webp
Source: Norton

What should your training cover?

To protect you're organization from spear phishing, you'll need to implement robust email security protocols, such as multi-factor authentication (MFA) and email authentication mechanisms like Domain-based Message Authentication, Reporting and Conformance (DMARC).

And when it comes to your training content, it'll need to have include the following...

Knowing the red flags of spear phishing: Spear phishing attacks can sometimes be hard to detect. However, employees can still identify phishing attempts by things like unexpected requests for sensitive data or suspicious-looking links.

Scrutinizing sender email addresses: Employees should be taught to use additional verification methods when an email looks off, such as contacting the purported sender through a known, trusted channel.

3. CEO Fraud

What is it?

As the name suggests, CEO fraud is when hackers impersonate the CEO of an organization to send an email to the new and low-level employees to trick them into sharing their personal information and company login details.

CEO fraud typically begins with reconnaissance, where cybercriminals gather information about your organization and its key personnel.

This may involve researching company websites, social media profiles, and public records to identify potential targets and gather details about organizational structure, key decision-makers, and internal processes.

Armed with this information, attackers then create highly personalized emails designed to mimic legitimate communications from the CEO or other executives.

These emails often exploit a sense of urgency or authority, urging recipients to take immediate action, such as wiring funds to a specified account or providing sensitive financial information.

For instance, the 'CEO' might ask the employee to pay for the vendor or supplier invoice attached in the email using new account details.

According to the UK Finance report, CEO Fraud is among the top eight types of fraud that target the organizations - targeting at least 400 firms per day.

CEO fraud.webp
Source: IT Governance USA

What should your training cover?

Basic phishing email identification: CEO fraud emails will have the same tell-tale signs as any other kind of phishing attack. However, you'll want to make sure your training emphasises that employees should be vigilant no matter who an email is from - even if its their CEO.

Verifying requests: Training should emphasize the importance of verifying requests for financial transactions or sensitive information, particularly when they come from high-ranking executives.

4. Whaling

What is it?

Whaling is a form of spear phishing in which cybercriminals specifically target the organization's executives and high-level employees known was “whales”.

Whaling phishing attacks are generally characterized by their sophistication, customization, and attention to detail.

Since the targets are usually more aware and trained against social engineering attacks, cybercriminals use methods that are tailored to the victim, often referencing to accurate details about the business.

Successful whaling attacks are especially dangerous as top executives often have greater access to company data, intellectual property and financial systems.

Whaling attacks can take various forms, depending on the attacker's objectives and the level of sophistication employed. Some common examples include:

  • Fake invoice scams: Attackers impersonate a company executive or vendor and request urgent payment for fictitious invoices or business expenses.
  • CEO impersonation: CEO fraud (covered above) is actually a type of whaling.
  • Credential theft: Attackers trick executives into disclosing their login credentials or other sensitive information by sending phishing emails disguised as urgent requests for password resets, account verification, or security updates.
Whaling.webp
Source: ResearchGate

What should your training cover?

Any training you implement should provide training specifically for high-level employees and offer some sort of customization to tailor content to specific roles.

Executive awareness: You'll need to make sure executives and top-level employees are aware of these attacks in the first place - training programs should specifically target executives and high-level decision-makers to raise awareness about the prevalence and potential impact of whaling attacks.

Trust-but-verify culture: Effective training will instil a verification procedures for high-risk transactions or requests initiated via email. For example, teams might double-check with the CXOs if they have sent an email requiring an online transaction or funds transfer from the employees.

Role-based training sessions: Tailoring cybersecurity training programs to the specific roles and responsibilities of your employees is essential for mitigating targeted cyber threats like whaling attacks. Executives may receive training on the risks associated with whaling attacks while finance and accounting staff may receive training on identifying fraudulent payment requests and verifying the authenticity of financial transactions.

5. Vishing

What is it?

Vishing (short for “voice phishing”) is an attack in which hackers trick employees into sharing confidential information over the phone.

Similar to traditional phishing scams conducted via email, vishing relies on social engineering techniques to manipulate victims and exploit their trust.

Vishing attackers usually pose as bank personnel to verify the account information and conduct a transaction.

They might also impersonates an employee from the Internal Revenue Service (IRS) to validate the tax returns by requiring access to the Social Security number.

Below are a few of the tactics that attackers might use:

  • Caller ID spoofing: Vishing perpetrators often use caller ID spoofing techniques to mask their true identity and make their calls appear to originate from legitimate sources - often by displaying familiar or official phone numbers on the recipient's caller ID.
  • Urgency and threats: Vishing scams rely on creating a sense of urgency or fear to prompt victims into immediate action. Callers may claim that the victim's account has been compromised, that suspicious activity has been detected, or that legal consequences will ensue unless immediate action is taken.
  • Social engineering tactics: Social engineering is often used to build rapport with targets and establish credibility. Attackers may employ persuasive language, authoritative tones, or insider knowledge to gain the victim's trust and credibility.

What should your training cover?

If you train employees on vishing, they’ll be able to verify the sender by evaluating the caller number - these numbers are usually different from the regular ones with unusual country codes. Here are few extra factors to consider...

Critical thinking skills: Training should encourage employees to adopt a skeptical mindset when receiving unexpected or unsolicited calls. Employees can then be trained to question the validity of requests for sensitive information, especially when the caller exhibits coercive or manipulative behavior.

Security policies for phone calls: You may want to ensure your training reinforces any security policies and procedures related to handling sensitive information over the phone (e.g. never sharing passwords or account details over the phone and reporting suspicious calls).

Simulated vishing exercisesWhilst you'll need simulations for all of the attacks in this list, this can be particularly useful for protecting against vishing since employees will be able to get hands-on experience with these calls - which are harder to get a feel for without direct simulation.

‍6. Smishing

What is it?

Smishing is a technique that involves the use of text messages to deceive individuals into divulging sensitive information, clicking on malicious links, or downloading malicious software onto their devices.

In this kind of  phishing attack, perpetrators will typically send fraudulent text messages to large numbers of recipients, posing as legitimate entities such as banks, government agencies, or well-known companies.

These messages often contain urgent prompts, like warnings of account suspension or requests for verification of personal details.

The text message will usually contain a link to a website URL which seems accurate...

But clicking the link then installs malware automatically in the background on the user’s device.

Smishing.webp
Source: Secure World

What should your training cover?

Whilst there are steps you can ask employees to take such as enabling spam filters, training is absolutely vital, since there's not much an organization can do to police its employees' personal devices.

Recognizing warning signs: Employees well-trained in cybersecurity awareness will be able to distinguish between real and fake URLs by reviewing things like the prefixes, sender number, and text message content.

Skeptical mindset: Promoting skepticism and encouraging users to verify the authenticity of messages through independent means will help prevent successful smishing attacks.

Best practices for mobile use: Your training program should best practices for securely managing text messages and responding to suspicious or phishing attempts. This might include things like avoiding clicking on links or downloading attachments from unknown sources, refraining from disclosing sensitive information via text message, and reporting suspected smishing attempts to your security or IT team.

Simulated exercises: Some cybersecurity training programs (like Hoxhunt) incorporate smishing into their simulated attacks to give employees a feel for identifying and responding to potential threats.

‍7. Angler Phishing

What is it?

Angler phishing is a sophisticated form of attack that aims to trick individuals into divulging sensitive information or performing unauthorized actions by impersonating trusted entities or organizations.

In angler phishing attacks, perpetrators exploit social engineering techniques to manipulate victims into believing that they are interacting with legitimate sources.

Hackers will send direct messages or notifications on social media platforms to the users asking them to take action.

For instance, attackers usually impersonate customer service social media accounts to reach out to potential targets and consumers.

Hackers are getting smarter...

Once a consumer posts a complaint about a company, the attackers get the alerts.

So, they can then reach out to them as customer support.

Since they were expecting to hear from someone, often users won't verify the account details and willingly share their personal information.

Angler phishing.webp
Source: IT Governance

What should your training cover?

Ideally your training should also be accompanied by measures such as spam filters, email authentication protocols threat intelligence tools and MFA.

Critical analysis of URLs and links: Your training should teache users how to critically analyze URLs and hyperlinks contained within emails to determine their legitimacy - even when the sender address looks to be safe.

Personalized content for most targeted employees: Angler phishing attacks often target specific individuals within organizations, such as executives, finance personnel, or IT administrators. So, make sure any training you implement makes sure training resources get to those who need it most.

Email security measures: Training should empowers individuals to leverage email security features and tools effectively to mitigate the risk of angler phishing. This may include using email filtering technologies to block malicious messages, configuring spam and phishing detection settings, and implementing email authentication protocols like SPF, DKIM and DMARC.

8. Pharming

What is it?

Pharming is an advanced type of cyberattack that redirects internet traffic from legitimate websites to fraudulent ones without the user's knowledge or consent.

Unlike phishing campaigns, which rely on social engineering, pharming operates at the DNS level, manipulating the resolution process to reroute users to malicious websites.

In a pharming attack, the attackers clones an authentic website and redirects online website traffic from an authentic website to a fake website to steal important personal information.

For example, the hacker can spoof a website that the user regularly visits, such as e-commerce, where they enter their financial information.

This might be done via a fraudulent link sent through email, manipulating search engine results or though hacking the domain’s DNS.

One common technique used in pharming attacks is DNS cache poisoning, where attackers inject false DNS records into the cache of recursive DNS servers.

When users attempt to access a legitimate website, their requests are intercepted and redirected to the malicious site controlled by the attackers.

Another method involves compromising the user's local DNS settings, either through malware or unauthorized modifications, to achieve the same objective of redirecting traffic to fraudulent domains.

What should your training cover?

Pharming may be slightly more sophisticated than typical phishing tactics - but thoroughly trained employees should be able to successfully distinguish a fake website from a real one as long as your training offers the following...

Education on DNS security: Employees will need to be brought up-to-speed on the risks associated with pharming attacks. Users should understand how DNS works, the potential vulnerabilities in the DNS infrastructure, and the techniques used by attackers to manipulate DNS resolution.

Detecting of suspicious redirects: Training should teach employees how to recognize signs of a pharming attack, such as unexpected website redirects or warnings from web browsers about invalid security certificates.

Verifying website authenticity: Employees should also be trained to verify the authenticity of websites before entering sensitive information. This may include things like checking for secure HTTPS connections, examining SSL/TLS certificates for validity, and comparing domain names and URLs to ensure they match the expected destination.

‍9. Pop-up Phishing

What is it?

Pop-up phishing tricks users into divulging sensitive information or installing malicious software through pop-up windows that appear on their screens while browsing the internet.

Why would someone click on a phishing pop-up?

Well, these pop-up windows often masquerade as legitimate alerts, warnings, or notifications, aiming to create a sense of urgency or fear to prompt users to take action hastily.

In a pop-up phishing attack, the hackers implant a malicious code in the pop-up or prompt windows that appear on the websites on the browser.

As a result, when a person clicks on the pop-up window, it installs malware on the computer or laptop.

The malware or the virus further spreads via the network to disrupt the daily operations, corrupt the critical information, damage, or delete it.

Pop-ups can also be used to collect credentials by imitating a login screen.

Pop-up phishing.webp
Source: Office of Information Security Washington

What should your training cover?

Whilst there are steps you can take to protect employees devices, a strong human firewall is going to be your first line of defence against these kinds of attacks.

Use of ad blockers: Employees should be encouraged to install and enable ad-blocking software or browser extensions to prevent malicious pop-up advertisements from appearing while browsing the internet.

Secure browsing practices: Training should cover best practices for safe browsing habits, such as avoiding clicking on suspicious links or advertisements, verifying website URLs before entering sensitive information, and being cautious when interacting with pop-up windows, especially those that request personal or financial details.

10. Clone Phishing

What is it?

Clone phishing is when hackers take an existing email template and turn it into a malicious email by making small tweaks.

As the name suggests, clone phishing attacks use original email sent from a trusted source and then makes subtle changes to it such as replacing genuine links or attachments with malicious links or attachments.

Once the user clicks on these, a virus or the malware installs on the receiver’s computer or credentials or an attempt to harvest the receivers credentials is launched.

Clone phishing emails are usually sent from an address that impersonates the genuine email address which the user expects from the original source. As a result, the attackers exploit the victims,' trust to trick them into opening the malicious document.

Clone phishing.webp

What should your training cover?

Training plays a crucial role in protecting against clone phishing, since malicious emails can look just like the real thing.

Spotting cloned websites: Since cloning attacks can look very similar to legitimate emails, training should teach employees how to identify cloned websites by examining the URL, looking for inconsistencies or discrepancies, and verifying the legitimacy of the site.

Avoiding suspicious links: Similarly to most other types of phishing, employees need to be trained to avoid clicking on links or downloading attachments from suspicious emails.

11. Invoice Fraud

What is it?

Invoice fraud occurs when a scammer sends a fake invoice or alters legitimate invoices to deceive a company into making payments to the wrong account.

Invoice fraud is very common...

And can also be difficult to detect.

Invoice phishing attacks will usually (for businesses at least) claim to come from a service provider.

Attackers will even change their domain address to make the email seem legitimate.

Invoice fraud.webp

How to set up your simulation training program: best practices.

Ask yourself what the goal of your training is

To start with, think about what you want to achieve with building simulated phishing attacks.

  • What are your KPIs?
  • What types of threats is your organization exposed to?
  • How do you plan to test your employees?
  • What kind of simulation will you send out?
  • When will you send it out?
  • Perhaps it would be good to communicate to your employees that they might be tested every now and then?
  • Should you tell them how to deal with these attacks?

Use a wide variety of simulations

The types of cyber attack simulations you use can be tailored to your organization's specific needs.

Do employees often download malicious attachments?

Then you may want to send out simulated attacks with attachments.

Are employees clicking malicious links repeatedly?

Add a URL to the vector.

You can even combine the different types of attacks (such as the two examples above) to train your employees for every possible scenario.

It's also worth thinking about simulating more persistent cyber threats.

In real-life, malicious actors might send multiple follow-up vectors to add a greater sense of urgency and perceived credibility.

So you could also simulate these follow-ups to give employees a feel for these kinds of real-world attacks.

Keep phishing simulation campaign up-to-date

The threat landscape is constantly changing.

Attackers are always coming up with new types of phishing attacks to get around organizations' defenses.

The more sophisticated attacks become, the harder they are to spot.

You'll need to make sure that employees are up to date with the latest attack threats...

And that modern phishing emails can be fairly hard to identify.

Ensure phishing simulations are frequent

Practice makes perfect.

The more practice employees get, the better they'll be able to spot suspicious emails.

Generally speaking, your failure rate will improve with more frequent training...

One or two cyber attack simulations per year probably aren't going to cut it.

Our Hoxhunt Challenge study tested over 600,000 employees across 125 counties using simulated QR phishing codes (both via email and physical fliers)...

We found that a longer-term training approach improves performance over time.

Those who participated over a period of 18 months scored better than those who had only trained for a short amount of time.

And employees with more training experience reported the suspicious QR code 3x more than employees new to the training.

Hoxhunt simulation outcomes.webp

With time, continuous practice will lead to behavior change.

Which means employees will be able to spot and report actual attacks.  

Our data here at Hoxhunt shows that testing users at least a few times a month without interrupting their workflow is the most effective cadence to change behavior.

Give constructive feedback and use positive reinforcement

However your employees perform in simulated cyberattacks, it’s absolutely critical that they receive feedback.

First off, you need to let them know that this was a training scenario and not an actual phishing attack.

Then, include short pointers on what employees should pay attention to when they receive emails.

Criticizing employees doesn't work.

You should always use positive reinforcement and reward systems in your feedback if you want to boost motivation and engagement.

Implement adaptive phishing training to drive behavior change

Cybersecurity simulation training works best when it's tailored to employees' specific performance and current skill level.

Under this model, employees receive simulated cyberattacks tailored to their specific roles, past behaviors, and known vulnerabilities.

Employees in finance might receive phishing emails related to invoice fraud...

While executives might be targeted with spear-phishing attempts.

To effectively change behavior and lower potential risks, employees need to be engaged.

This is why a one-size-fits-all approach to security awareness training just doesn't work.

Here at Hoxhunt, our training also uses personalized learning paths.

If an employee fails simulations, they'll be sent easier phishing threats to identify.

Then, once their confidence and motivation increases, they can be sent more difficult simulations.

Hoxhunt learning paths

Elements to consider adding to your attack simulations.

To make the simulated attacks look realistic, consider including techniques that attackers also use.

Think like a real attacker

Your simulations must look like real-life attacks. Think of how an attacker would try to scam your employees and try to simulate that.

Use psychological triggers in your simulations

There are several emotions that scammers use to trigger employees to make the wrong decision.

Oftentimes they relate to greed, curiosity, urgency, fear, or helpfulness.

You can imagine receiving an email with any of these triggers could be quite challenging to ignore.

The goal is for your employees to stay rational with every email they receive, no matter what the psychological triggers are.

Take into consideration the difficulty level

This comes down to adapting the difficulty level to your employees’ progress, so that they will gradually advance and stay motivated to spot and report threats.

Very advanced attacks and constantly failing from the start can discourage your employees.

And you don’t want them to become inactive.

Use of call-to-actions (CTAs) in emails

Evidently, real attackers want your employees to click or do something harmful.

To achieve that they use CTAs like “click here”, “sign in”, and “activate account” that will redirect users to malicious downloads or landing pages.

The context of your simulation is very important

If the email is completely out of context (service email from a bank they do not even use), it will be much easier for employees to spot.

Make sure you use relevant content for each employee because that’s how most real tailored attacks work as well.

The design of the email

If you opt for an HTML template, you can make realistic looking copies of service emails including logos and other design features.

The more realistic it looks, the more difficult it will be to spot for your employees. A simple plain-text message can also be highly effective.

Personalization

When you personalize the email with simple things like your employee’s first name it already becomes much more challenging for them to identify it as a simulation.

More than ever can attackers personalize their emails with everyone’s life publicly available on social media.

So at Hoxhunt, we automatically personalize every simulation to each individual based on their role, department, location, language, colleagues, and technical solutions they use.

Impersonation

Impersonation is one technique that scammers use consistently.

If your colleague sends you an email, what harm can it do? Of course, in cybersecurity we know that this might be a business email compromise.

But imagine receiving an urgent email from your “CEO” with all of the above elements? That’s difficult to detect for anyone.

Timing

Timing can play an important role in why employees may fail a simulated attack.

If they are in a rush or in a stressful situation, employees may have their guards down.

You want your employees to recognize attacks at any time.

What metrics should you be measuring?

If your simulation training is focussed on behavior change (which ideally it should be) - the reporting rate is your most important metric.

This metric tells you how many people actually engaged with training.

A quality reporting process is 100% mandatory.

The more user-friendly and simple your reporting process is, the lower barrier is for reporting phishing emails.

When employees are reporting simulated threats, you know that they are engaged, learning, and acquiring the knowledge and skills needed to spot potential attacks.

If employees aren't reporting simulations, you won’t know whether they identified the threat, or even noticed it at all.

Average simulation reporting rate per employee

The aim here is going to be for high engagement. When employees (correctly) report simulated attacks, you'll be able to start collecting data on their progress. You'll need to engage all employees, not just those who previously failed a test.

The average simulation reporting rate will tell you how many people have engaged with training.

This will give you an idea of how likely employees are to make an error or fall for an attack.

At Hoxhunt, we advise our clients to aim for at least an average 70% reporting rate.

With people-first training, everyone will continue to be trained, regardless of whether or not they’ve failed a simulation.

This means that the reporting rate gives you a good indicator of the strength of your entire human firewall - not just the weakest links.

The real threat reporting rate

Tracking and improving your real threat reporting rate will ensure employees can catch attacks before an incident can cause harm.

The end goal of any training should be to teach people to recognize and report cyber threats.

Your real threat reporting rate is essentially a measure of how effective your training actually is...

Does it help employees identify real-world phishing attacks?

There is no greater proof that a training program is working than an improvement in real reported threats.

Boosting this metric is how you prevent real breaches and gather data on the attacks that get through your email filters.

Motivating employees to spot and report threats will

A) Reduce the chance of successful attacks

B) Lower recovery costs if an attack is successful (because even successful attacks should still be getting caught sooner)

C) Give you an insight into attacker behaviors, techniques, and tactics - which you can then feed back into your training

Dwell time

Reducing your dwell time will directly impact containment and mitigation of potential security breaches.

Dwell time is the period between a threat entering your network and it being reported by an employee.

Dwell time is not measured by most platforms - only in a few adaptive phishing training platforms (like Hoxhunt).

Why does dwell time matter? Well, it introduces a measurement of speed.

And when it comes to preventing damage from real phishing threats, speed is everything.

The quicker you can catch an attack, the less damage it can do.

Hoxhunt training outcomes

Here are some of the outcomes organizations using Hoxhunt tend to see 👆

What about failure rate?

Failure rate is what most training solutions are based around.

And many organizations heavily rely on it.

The failure rate is simply the percentage of employees who fail to recognize or report  cyber attack simulations.

However, a low failure rate doesn't necessarily mean your training is effective.

Your failure rate might be impacted by the difficulty level of simulations, the variety of the content, individual points of view, timing and frequency.

You don't need to ditch failure rate completely...

But we would urge you to remember that it doesn't give you the full picture.

Tracking failure rate can be useful. 

But only once your threat reporting and engagement rates are high enough to provide a sizeable data sample.

Failure rate is not the best metric for gauging your success if simulations are infrequent and follow a one-size-fits-all strategy.

It can also be a volatile metric.

It’s easy to artificially inflate failure rates.

Do you want to lower the failure rate? Send out easier cyber attack simulations that even less experienced employees can recognize.

The moment you start sending out more difficult simulations, the failure rate could jump up significantly.

Can you run cyber security simulation training manually?

The short answer is yes... you can absolutely set up a simulated attack program in-house.

But should you?

Running a phishing simulation program manually will require significant manual work from your Security Team.

Ideally, you'd want your phishing simulations to be personalized to employees.

And for organizations with more than 100 employees, this isn't a scalable approach.

Challenges of manual simulations:

  • Scalability: Manual simulations can be time-consuming and difficult to scale, especially for larger organizations.
  • Consistency: Ensuring consistency and realism in phishing emails can be challenging without automation and templates.
  • Latest threats: Keeping up with all of the latest attack types can be a daunting task.
  • Tracking: Manually tracking responses and analyzing data can be cumbersome and prone to errors.
  • Resource intensive: Requires significant time and effort from IT and security staff.

What features should you look for in attack simulation tools?

The following criteria should give you an idea of how to evaluate your options when comparing cybersecurity training simulators.

We'd recommend looking for a human-first phishing training that can tangibly reduce risk in a way you can track and measure.

User experience

As you'd expect employees generally appreciate having their regular workflow interrupted for long periods of time.

Instead of dragging them away from their work, opt for a phishing awareness training solution that will incorporate interactive content into an employee's regular workflow (ideally in 5-7 min chunks).

Personalization

Personalization is absolutely necessary to if you want your employees to feel like training is actually relevant to them.

When shopping around for vendors, be sure to compare how much personalization they offer (start with factors like employee cyber knowledge (IQ), role, department, and language of training content).

Personalized learning paths also make for an effective solution.

If an employee keeps failing simulation exercises, your training should adapt accordingly - sending easier attacks that will gradually increase in difficulty to meet their skill level.

Reporting

If you want to be able to showcase the impact of your training, you'll need a vendor with a robust analytics and reporting engine.

Most vendors will give you the reporting rates of phishing simulations but this usually doesn't give you the full picture.

Using overly simple or difficult simulated phishing attacks will skew your results to one side of the bell curve.

Passing a few tests per year doesn't mean you'll be prepared for more advanced real-world attacks.

Two of the main KPIs in anti-phishing training are:

  • Reporting rates
  • Failure rates

When employees are engaged in training, reporting rates of simulation exercises will increase...

And reporting rates of real-world threats will likely increase too.

Looking at failure rates by vector types will show you exactly where employees may need additional training - and your failure rate over time will tell you how effective your training is.

Behavior change

If you want your training to actually change employees' behavior, continuous reinforcement and repetition will transform your behavior into a habit are the two key drivers of this.

Scaring people into action just doesn't work.

Instead, training should highlight when employees do the right thing or reach their goal with a reward or positive feedback.

If employees are rewarded for reporting simulated phishing attacks, they'll be more likely to report real-world cybersecurity incidents.

This is the what makes regular phishing awareness training successful.

Its also worth thinking about the frequency of training.

Find out the quantity of attack campaigns vendors offer per employee on an annual basis. 

Continuous, on-going training is necessary for changing behavior in any measurable way.

Automation

The level of automation on offer will vary from vendor-to-vendor.

The two most important things you'll want to automate are:

  • Delivery of personalized frequent training
  • Potential threat identification, classification, and escalation

Here at Hoxhunt, many of the organizations we speak to were building their simulations and training content manually before working with us.

If you want your training to be up to date with the latest real-world scenarios, this can get very costly and time consuming.

Choosing a vendor that regularly updates their content and automates the delivery of  simulated attacks will save you a serious amount of manual legwork.

Personalize cyber attack simulations at scale with Hoxhunt

Want to drive tangible results with realistic simulations?

Hoxhunt uses a mix of gamification and AI to automatically assign personalized phishing simulations that dramatically increase engagement and reduce risky behaviors.

Why choose Hoxhunt's phishing simulations?

Personalize phishing simulations at scale with AI

Hoxhunt’s AI engine generates a unique profile for every user and automatically delivers the most relevant phishing simulations based on skill, language, department, and more.

Simulations are crafted by experts in 30+ languages and can be customized to fit your needs.

Maximize phishing engagement with gamification

Hoxhunt rewards users with stars and badges, and a company-wide leaderboard encourages fun competition that dramatically increases engagement.

Train users with instant, bite-sized lessons

Hoxhunt delivers quick, in-the-moment phishing training that affirms good behavior and transforms failures into fun and engaging learning opportunities.

More than just phishing simulations

Hoxhunt identifies what’s working well and where you can improve, so you can focus your efforts and increase the effectiveness of your phishing simulations over time.

  • Quantify your risk with a single number: Our scoring model benchmarks your phishing simulation performance against other organizations.
  • Track phishing simulation metrics over time: Measure the impact of your phishing simulations over time to validate your risk reduction efforts.
  • Identify where to focus your efforts: Categories provide context into what’s working, so you understand where to focus your efforts.
Hoxhunt platform.webp

Cyber security simulation training FAQ

What is cyber security simulation training?

Cybersecurity simulation training simulates real-world incidents like ransomware and phishing attacks.

It provides hands-on training in a controlled environment so that cybersecurity teams can prepare employees for potential cyberattacks.

What are the benefits of cyber security simulation training?

  • It helps develop practical skills, improving an organization’s cyber defense, readiness for incidents and overall security culture.
  • Teams gain deep insights into attack vectors, learn incident response processes, and enhance their cybersecurity posture.
  • Organizations can track and measure how employees respond to realistic scenarios and tweak their training to address any weaknesses.

How does simulation training improve incident response?

By practicing with attack simulators, employees experience real-world incidents in a safe environment and can refine their incident response plans, reducing the risk of reputational damage and business loss from cyberattacks.

What makes Hoxhunt's cyber security simulation training unique?

With Hoxhunt, simulations are easy to prepare, deploy, and scale across your organization.

Assess your vulnerability to common phishing tactics with a variety of simulation templates.

In just a few clicks, you can deliver simulations that are personalized to every employee.

Sources

  • Cybersecurity Simulation Training and its Importance – Security Magazine, January 2023.
  • Best Practices for Phishing Simulations – Cyber Defense Magazine, November 2023.
  • How Cybersecurity Simulations Help Organizations – Infosecurity Magazine, December 2022.
  • Enhancing Phishing Resilience through Simulation – CSO Online, February 2024.
  • Impact of Simulated Cyber Attacks on Employee Behavior – TechTarget, 2023.
  • Benefits of Cybersecurity Simulation Exercises – SANS Institute, October 2023.
  • Want to learn more?
    Be sure to check out these articles recommended by the author:
    Get more cybersecurity insights like this