A question I am commonly asked about Phishing Asssesments is do they desensitize employees? Do employees beging to treat phishing (both real attacks and simulated attacks) as a frivolous game, ultimately exposing the organization to more risk, not less? Based on my experience I would have to say a resounding no. To be honest, if anything you have the exact opposite problem. If I see any issues, some employees become overly concerned and over emphasize phishing risks. Following such training and assessments, security teams or help desk will get an increase in phishing reports that turn out to legitimate emails. In one case I know of a senior executive sent out an email to the entire organization, announcing an upcoming webcast that all employees were required to attend. Several employees forwarded this to the security team thinking it was a spear phishing attack. In fact, this is why I'm cautious about sending out spear phishing emails pretending to come from senior management, depending on your organization and the type of risks you deal with, such assessments can do more harm then good. Long story short, do I feel phishing assessments desensitize employees? Absolutely not. In fact, my experience shows that if you run into any problems, it is with overly sensitive employees.