How often to conduct phishing simulations?

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

When a company implements a new phishing simulation solution, the question often arises: "How often should I conduct phishing simulations?"

The frequency of phishing simulations is a crucial parameter in fighting against phishing. However, some companies do not strategically define it.

Performing an annual simulation is not the wisest choice. However, testing employees every day will likely have a negative impact on their training.

So let's see together how to define the ideal frequency for conducting phishing simulations.

Too Few Simulations Do Not Properly Prepare Your Workforce

A too low frequency of simulations causes several problems in the fight against phishing.

Firstly, new hires may not be trained quickly enough after starting their positions and may represent a vulnerability for your company.

Your new employees are not familiar with your security procedures and have not been trained through your previous campaigns. Therefore, they are more likely to take compromising actions.

Keep in mind that after each hiring period, you should test new hires to assess their practical level in dealing with phishing. It is important to evaluate their vigilance against this threat to determine if a new recruit requires extensive training.

Furthermore, if you do not conduct enough tests, your trained employees will become less vigilant.

Indeed, without recurrence, they will forget good reflexes due to lack of practice.

Ebbinghaus Forgetting Curve

The Ebbinghaus forgetting curve demonstrates the importance of frequent reminders in the memorization process.

The goal is to create lasting automatic responses. The frequency of your simulations should be sufficient to promote the memorization and application of the necessary reflexes in the fight against phishing.

Finally, the less you test your employees, the more complex the deployment process of the test may appear. Selecting the date, time, creating the scenario, contextualizing it, and preparing the accompanying communication for the campaign are simple tasks but can be resource-intensive if not done regularly. This difficulty will unintentionally encourage you to further reduce the frequency of phishing exercises.

By using your phishing training solution more often, you will become more proficient in using your tools. Campaign deployments will be simpler, saving you time and increasing efficiency.

Furthermore, companies that only test their workforce once a year during Cybersecurity Month in October potentially face changes in the threat landscape from one year to another.

Take the example of the Covid-19 pandemic: the digital world - and therefore phishing - has undergone several changes between 2020 and 2021. Phishing attacks from two years ago are different from today's.

By regularly testing your workforce, you update the context and phishing scenarios they encounter, ensuring better training.

Too Many Simulations Can Reduce the Effectiveness of Your Awareness

The more simulations you conduct, the more you train your employees to adopt the right reflexes. However, it's important not to overdo it.

Firstly, there is a resource cost: many requests are sent to the IT support during campaigns. With the increase in remote work, VPN usage, and video conferences, IT services generally have a higher workload than before. Depending on your reporting procedures, too many simulations might flood your IT department with tickets.

Reporting Plugin

At Arsen, the reporting plugin avoids burdening the IT department with phishing simulation campaigns.

Secondly, your employees may develop a level of morale fatigue from repeatedly experiencing phishing tests. This fatigue can lead to disengagement and lack of interest from employees. The risk is that when faced with a real phishing threat, they might perceive it as another test and not take the time to report it or take necessary precautions. Therefore, avoid always relying on the same colleagues to achieve better training results, as you might potentially get the opposite effect.

Finally, it is necessary to constantly innovate tests and scenarios to diversify your workforce's training. Training too often on the same types of scenarios can create overspecialization in threat detection and vulnerability in other scenarios. A too high frequency will inevitably lead to reusing very similar scenarios and introduce this overspecialization.

Hackers do not hesitate to exploit various psychological levers or scenarios to trap their victims. By diversifying these scenarios in your tests, you create versatility in their training and increase their resilience in various situations.

Arsen Catalog

Our phishing scenario catalog allows you to diversify your phishing simulations by offering different options to test your workforce.

The Ideal Frequency for Your Phishing Simulations

The ideal frequency for your phishing exercises depends on the level of sensitivity you desire and the pressure your company faces. If your company is highly exposed to phishing, it is preferable to train your employees more regularly.

Based on the elements mentioned above, the optimal frequency can range from one phishing test per month to one test per week. Remember to vary the groups you want to test, as you should not always train the same employees. Additionally, you have the opportunity to customize exercises based on your targets. Choose more realistic phishing scenarios according to their responsibilities within your company, for example.


In conclusion, for optimal learning, make sure to conduct an appropriate number of tests without neglecting them. Ideally, test the same employee every 4 to 6 weeks. However, a company highly exposed to phishing can increase the frequency to once a week for at-risk employees. Also, remember to vary the contexts of your simulations and the groups you want to test.

By adopting a good simulation frequency, your employees will have an easier time understanding and retaining best practices in the realm of phishing.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.