Why your phishing simulations aren’t building a security culture

Security culture isn’t built by phishing simulations. In this Help Net Security video, Dan Potter, VP of Cyber Resilience at Immersive, argues that annual training videos and quarterly phishing tests happen in calm, controlled settings that tell us nothing about how people perform when a real incident hits.

Real attacks trigger anxiety, cognitive narrowing, and hesitation. People fixate on the loudest problem in the room, lose sight of the bigger picture, and slow down when decisions matter most. Muscle memory built under pressure is what closes that gap.

Potter outlines what readiness looks like: cross-functional exercises, micro-learning at the point of risky behavior, psychological safety that removes blame culture, and a security team seen as an enabler rather than a gatekeeper.

The goal is a workforce, from the front line to the boardroom, that knows its role, trusts the process, and can act when it counts.

Secure by Design: Building security in at the beginning