When it comes to running phishing simulation campaigns. What is the best practice on how often they should be run and at what cadence should phishing simulation emails be sent out? Some organizations only run a campaign once per quarter sending out a simulated phishing email about once per week while other organizations run continuous campaigns sending out phishing simulations about once every 2 weeks. What are other organizations doing and what is the best practice?

A monthly cadence seems to find the balance between too much and not enough for the general user base. Targeted training for departments like Finance might be warranted at a slightly higher cadence.

We had 12 phishing samples and sent them during the year randomly to the employees. This means they received 1 in every month. This approach worked well at a company of the size of 25k email users. Quarterly reports were send to the management and the click rate dropped from 26% to 5% during 2 years.

Phishing simulation campaign is not sent and not to be sent very frequently. Users will get used to it. Campaigns should be sent specifically around a time of interest, for example, free tickets during world cup, during Income tax returns, during festive seasons with offers etc...which will truly test the users. Best practice is to time the campaign during such events and not as a routine activity.

Best practices is to conducting phishing simulations monthly or quarterly, balancing frequency to maintain awareness without causing fatigue.
Many organizations do it for bi-weekly or monthly campaigns, adjusting based on employee engagement and threat landscape. Continuous simulations can be effective but should be paired with comprehensive training to ensure long-term security awareness.