First you should establish that this "training" is effective in raising security standards. I’m skeptical it does. When working as a life guard we never did live testing (i.e. training without knowing it is training) simply because results are mixed at best. Trainees are stressed in a live scenario and are unlikely to really "learn" anything from the experience. Worst case scenario, trainees will experience stress to a level where they will be harmed by the experience.
Second security should not fail on a successful phishing attempt. If a worker opens a phishing email and it compromise your security, you’ve got bigger problems.
Thirdly, don’t discount workers experience of having failed a task. It is extremely unpleasant and stressful. Workers health matters, and to subject us to unessisary stress levels is simply evil. There is no excuse. Find a better way to secure your system.
Second security should not fail on a successful phishing attempt. If a worker opens a phishing email and it compromise your security, you’ve got bigger problems.
Thirdly, don’t discount workers experience of having failed a task. It is extremely unpleasant and stressful. Workers health matters, and to subject us to unessisary stress levels is simply evil. There is no excuse. Find a better way to secure your system.