For years, security awareness programs followed a familiar formula: Send employees annual training videos, run periodic email phishing tests, and track who clicked.
Those programs were built for a threat landscape that no longer exists.
Today’s attackers don’t rely on a single phishing email. They run coordinated social engineering campaigns across multiple channels—impersonating executives on phone calls, sending follow-up SMS messages with MFA prompts, or targeting helpdesk staff with urgent password reset requests. In many cases, these attacks unfold in several steps, each designed to build trust and create urgency.
Legacy security awareness training (SAT) programs struggle to keep up because they were designed around a narrow question: Did the user complete the training? Modern security teams are asking a much broader question: How prepared are employees for real social engineering campaigns?
That shift is driving the move toward modern Human Risk Management (HRM). Instead of treating awareness as a compliance exercise, HRM programs focus on identifying, testing, and reducing the real behaviors attackers exploit. The goal isn’t just to teach employees about threats—it’s to educate users against modern attacker tactics, simulate real attacks, measure risk across the organization, and continuously strengthen human defenses.
If your team is looking to move beyond legacy SAT tools, here’s a practical roadmap for making the transition.
1. Start by reframing the problem internally
Replacing a security awareness platform is rarely just a technical decision. It requires alignment across security, compliance, and leadership about what the program should actually accomplish.
Legacy awareness programs were designed primarily to demonstrate compliance. Training completion rates and phishing email click rates became the metrics that mattered. But attackers have adapted faster than those programs have evolved. Social engineering campaigns now routinely combine voice calls, messaging apps, impersonation tactics, and multi-step deception.
A modern HRM program reframes the objective. Instead of measuring awareness activity, the goal becomes measuring human risk:
- Which teams are most susceptible to social engineering?
- Which attack patterns cause employees to bypass security controls?
- Where would a motivated attacker be most likely to succeed?
When leadership understands that the shift is about reducing real operational risk—not simply replacing a training vendor—the transition becomes much easier to justify.
2. Identify the threats your employees actually face
Once you’ve secured buy-in, the next step is understanding what kinds of social engineering attacks your organization is most likely to encounter and what your new tool needs to offer.
Many legacy SAT programs rely on a library of generic phishing templates. Those templates rarely reflect the techniques attackers are currently using, which makes simulations predictable and less effective.
Modern HRM programs take a different approach. Simulations are designed to mirror the tactics seen in active campaigns:
- A finance team might receive an executive impersonation message requesting an urgent transfer
- Remote employees might encounter a simulated MFA prompt after a suspicious login alert
- Helpdesk staff might receive a phone call from a “new employee” requesting a password reset
The realism of these scenarios matters. When simulations replicate the techniques attackers actually use, employees develop instincts that translate directly into real-world defense.
This second step of the journey involves mapping out a list of capabilities that your new tool must offer: maybe deepfakes, SMS simulations, multistep campaigns, custom training content, or behavior-based training paths. In order to drive the meaningful shift that your leadership team is looking for, you need to find the right tool to set your HRM program up for success.
3. Integrate your identity provider and automate user management
Once you’ve selected a platform, the first operational step is connecting it to your identity systems.
Modern HRM tools integrate with common identity providers such as Okta, Google Workspace, Microsoft Entra, and HR systems like Workday, Rippling, or ADP. These integrations automatically sync users and organizational structure into the platform, enabling security teams to target campaigns based on departments, roles, or user groups.
This integration transforms awareness from a manual process into an automated program. New hires can be enrolled in onboarding training as soon as they join the company. Simulations can be tailored to specific teams such as engineering, finance, or support. And risk insights can be tracked at the user, department, or company level.
By connecting HRM to identity infrastructure, security teams can run programs that adapt continuously as the organization evolves. The process is usually straightforward and pays off in dividends.
4. Configure the channels attackers actually use
Perhaps the biggest difference between legacy SAT tools and modern HRM platforms is the number of channels they support.
Traditional phishing simulations operate almost entirely in the email inbox. Real attackers, however, rarely limit themselves to a single channel. They combine email, messaging platforms, phone calls, and internal collaboration tools to pressure employees into taking action. Modern HRM platforms allow organizations to recreate these attack patterns. A campaign might begin with a voicemail from an executive requesting urgent assistance, followed by a text message containing a login link.
Doppel, for example, allows security teams to run multistep simulations across channels such as email, business communication tools, messaging channels, and voice calls, enabling organizations to replicate how attackers actually operate.
In order to unlock these capabilities, the fourth step is configuring email settings to ensure simulation delivery. This can be done through direct mailbox injection or allowlisting, and usually involves just a few short steps.
5. Set expectations with employees before the first campaign
Before launching your first simulation, it’s important to communicate clearly with the broader organization.
Security awareness programs sometimes create friction when employees feel they are being tested or embarrassed. That dynamic undermines the very behavior change the program is meant to encourage.
Successful HRM programs position simulations as a form of preparedness rather than punishment. Employees should understand that the purpose of the program is to help the organization recognize and respond to sophisticated social engineering attacks, not to entrap individuals for sport.
Framing the program around learning and resilience encourages employees to participate actively and report suspicious activity more confidently.
6. Launch your first campaigns using realistic scenarios
With infrastructure and change management in place, it’s time to design the first set of campaigns.
Rather than starting with random phishing tests, many organizations begin with scenarios tied to real attack patterns. Modern HRM platforms can recommend campaigns based on threat intelligence, industry trends, or attack techniques currently targeting similar organizations.
For example, a simulation might recreate an increasingly common vishing scenario: An employee receives a call from someone impersonating IT support, claiming suspicious activity has been detected on their account. During the call, the attacker sends a follow-up SMS containing a login link or MFA prompt.
This type of multi-step scenario teaches employees to recognize how attackers combine urgency, authority, and multiple communication channels to manipulate victims. It also gives security teams a clearer picture of where real vulnerabilities exist.
7. Pair simulations with targeted training
One of the most important differences between legacy SAT programs and HRM is what happens after a simulation.
Traditional awareness programs often stop at measuring who clicked, and focus on reducing that metric alone. HRM programs treat simulations as diagnostic tools that identify where coaching or training will have the greatest impact on organizational risk.
When a user interacts with a simulated attack, they can immediately receive targeted reinforcement—short training modules, quizzes, or interactive coaching tailored to the specific behavior that occurred. Over time, these interventions help employees build habits that make them more resilient against similar attacks.
Modern HRM platforms also allow organizations to create custom training content reflecting their own policies, tools, and workflows. Some even enable deepfake-driven training scenarios or AI-generated modules that mirror real incidents the company has encountered.
8. Establish a continuous risk-reduction loop
The final step is turning the program into an ongoing process.
Human Risk Management isn’t a one-time training initiative—it’s a continuous cycle of simulating attacks, reinforcing behavior, and measuring improvement over time. Each campaign reveals where employees struggle and where defenses are strong. That information then guides the next round of training and simulations.
Over time, this feedback loop allows security teams to focus attention where it matters most. Instead of delivering the same generic training to everyone, organizations can prioritize coaching for high-risk users, departments, or attack types.
The result is a program that doesn’t just demonstrate awareness, it produces measurable reductions in human-driven security risk.
The future of security awareness is human risk management
As social engineering continues to evolve, the organizations that treat human risk as a measurable—and manageable—part of their security posture will be the ones best prepared to stop the next generation of attacks.
Ready to move beyond basic compliance and start actually reducing human risk? Request a demo to see for yourself how Doppel helps you simulate, measure, and stop the sophisticated social engineering attacks your team faces every day.
