Phishing Simulations Aren't Enough: 4 Behaviors They'll Never Catch

Phishing simulations test one attack vector at one point in time. The real risk is in the daily behaviors nobody is monitoring — public file sharing, shadow IT, calendar exposure, and misconfigured defaults that persist because no one is watching.

Phishing simulations have become the default measure of human risk. Send fake emails, track who clicks, report the number.

Clean. Simple. Dangerously incomplete.

They test one vector, one scenario, at one point in time. Meanwhile, employees make dozens of risky decisions every day that no phishing simulation will ever catch.

Simulations measure: can this person spot a fake email?

They don’t measure:

Public file sharing (“Anyone with the link”)
Unapproved OAuth apps connected to company data
Calendars exposing meeting titles, attendees, strategy
Credentials stored in shared documents
Personal email used for work files

These happen every day. Every organization. And they cause more breaches than phishing links — a pattern we explore in detail in why incident response has to start with behavior.

Four Behaviors Nobody Is Testing

Employee creates a Google Doc. Clicks “Anyone with the link.” Fastest option. Done.

That document is now indexed by search engines. No simulation detects this.

2. Shadow IT

The average org has hundreds of SaaS apps, many connected by employees without IT approval. Each is a supply chain vulnerability — and the kind of exposure that Engarde’s SaaS monitoring is specifically designed to surface.

3. Calendar Exposure

A public calendar reveals your CFO’s “Board Presentation - Q2 Financials” meeting. That’s a social engineering goldmine.

4. Misconfigured Defaults

New employee joins. Drive defaults to “Anyone in the organization.” Every document they create is overshared. Nobody notices.

These aren’t mistakes of knowledge. They’re mistakes of configuration that persist because nobody is watching.

Simulations vs. Continuous Monitoring

Phishing Simulations	Continuous Monitoring
One vector (email)	All SaaS behaviors
Quarterly	24/7
Click rates	Real behavior patterns
Can be gamed	Observes actual actions
Snapshot	Trend lines
Reactive	Proactive

Employees learn to spot the test, not the threat. Click rates improve because they recognize simulations, not because they’re more vigilant.

Goodhart’s Law: when a measure becomes a target, it ceases to be a good measure.

How Continuous Monitoring Works

1. Observe — Connect to Google Workspace, Microsoft 365, Slack. Monitor file sharing, OAuth apps, calendar exposure, authentication posture.

2. Correct — When a risky behavior is detected, real-time guidance delivers an instant nudge via Slack:

“You shared ‘Q2 Revenue Forecast’ publicly. Your policy requires specific recipients only. Fix it here — 10 seconds.”

3. Reinforce — Follow-up quizzes at spaced intervals, tailored to the specific behavior. Over weeks, the secure path becomes the default path. This approach is grounded in the knowledge-behavior gap — the distance between what employees know and what they actually do.

Better Metrics

Stop reporting click rates. Start measuring:

% of files with appropriate access controls
MFA adoption across all platforms
Unapproved OAuth apps with company data access
Time to remediate a flagged behavior
Trend lines showing improvement over months

These are the signals attackers actually care about — and the ones Engarde’s whitepaper “Hacking the Habit” argues should replace traditional training KPIs entirely.

Bottom Line

Phishing simulations ask: “would this person click a link?”

The real question: “what is this person doing right now that could cause a breach?”

The answer is in their sharing settings, their OAuth permissions, their calendar. Not in a fake email.

Simulations are a starting point. Continuous monitoring completes the picture. Engarde (engarde.cc) — the behavior-centered cybersecurity platform — combines both: SaaS behavioral audits, real-time nudges in Slack and Teams, and spaced-repetition quizzes that address the behaviors training alone cannot fix.

Sources: Verizon DBIR 2024 · Gartner Human Risk Management · UChicago - Training Gaps

Frequently asked questions

Why aren't phishing simulations enough on their own? +

They test one attack vector (email) at one point in time, but breaches originate in daily SaaS behaviors — oversharing files, shadow IT, exposed calendars — that simulations never observe. Click rates can fall while real risk rises.

What does 'continuous behavior monitoring' actually monitor? +

Behaviors inside the tools your team uses every day: file-sharing settings in Google Workspace and Microsoft 365, OAuth apps connected to your tenant, calendar visibility, MFA adoption, and credentials stored in shared documents. Anything that creates exposure when configured wrong.

Don't phishing simulations reduce real-world phishing risk? +

Only marginally. Employees learn to recognize the simulation itself — Goodhart's Law: when a measure becomes a target, it ceases to be a good measure. Click rates improve while attacker tactics shift to OAuth grants and supply-chain compromise that simulations don't test.

What metrics should replace phishing click rates? +

Percentage of files with appropriate access controls, MFA adoption rate, count of unapproved OAuth apps with data access, mean time to remediate flagged behaviors, and the trend lines across all of those. They reflect real exposure, not awareness of a test.

How does Engarde (engarde.cc) handle this? +

Engarde audits SaaS behaviors continuously, then delivers real-time nudges in Slack or Teams when an employee triggers a risky configuration. Spaced-repetition quizzes reinforce the secure default over weeks. It's continuous monitoring plus behavior change, in one platform — distinct from other vendors sharing the Engarde name.

An employee sitting through an e-learning module on a laptop, illustrating the gap between completing training and actually changing behavior

Phishing Simulations Aren't Enough: 4 Behaviors They'll Never Catch

The Blind Spot