JW Goerlich on Training, phishing exercises, security metrics,getting the most from user training

JW Goerlich -  "Wolfgang is a cyber security strategist and an active part of the Michigan security community. He co-founded the OWASP Detroit chapter and organizes the annual Converge and BSides Detroit conferences. Wolfgang has held roles such as the Vice President of Consulting, Security Officer, and Vice President of Technology Services. He regularly advises clients on topics ranging from risk management, incident response, business continuity, secure development life cycles, and more."   https://jwgoerlich.com/   RSA talks and discussion Phishing tests -  https://www.securityweek.com/research-simulated-phishing-tests-make-organizations-less-secure https://hbr.org/2021/04/phishing-tests-are-necessary-but-they-dont-need-to-be-evil What are the goal of these tests?     That someone will click and activate (is that not a given?) What made them popular in the first place? Is this an example of management not taking security seriously, so we needed proof?   https://www.csoonline.com/article/3619610/best-practices-for-conducting-ethical-and-effective-phishing-tests.html FTA: "This will only undermine the efforts of cybersecurity teams as a whole, alienating the very people they aim to engage with, Barker adds. "People generally don't like to be tricked, and they don't usually trust the people who trick them. One counterargument I often hear is that criminals use emotive lures in a phish, so why shouldn't we? Well, criminals also cause physical damage to property, take systems offline, and disrupt services, but physical social engineers and pen-testers don't—for good reason. Simulations should not cause active harm.""   Is this part of a larger issue? Why do we treat these tests the way we do? Typical scenario?Mgmt does not believe or trust their internal people to tell them what is wrong, and takes a 3rd party source/product to tell them the same thing.     Are these stories Apocryphal? Or just my experience?