Which practice enables testing of phishing awareness?

Simulated phishing campaigns enable testing of phishing awareness by creating realistic, controlled phishing attempts to observe how people actually respond. They provide actionable metrics—who opens the message, who clicks a link, who enters credentials, and who reports it—that reveal gaps in awareness and training effectiveness and allow you to measure improvement over time. Training builds knowledge, but by itself it doesn’t show how employees behave when faced with a real-looking phishing attempt. An incident reporting culture helps with detection and response after something slips through, but isn’t a method to actively test susceptibility. Mobile device management focuses on devices and access controls, not phishing awareness testing.