<![CDATA[Phishing attacks remain one of the most prevalent information security threats in organizations due to their reliance on social engineering techniques that exploit human behavior rather than technical vulnerabilities. In the financial services sector, the increasing use of corporate email and digital applications further amplifies the potential impact of phishing incidents. This study evaluates the effectiveness of phishing simulation as an instrument to assess user behavior and information security awareness within an organizational environment. The research employs a quantitative descriptive approach based on a controlled phishing drill simulation delivered via organizational email. Interaction data were collected from 17,062 successfully delivered simulation emails and analyzed using behavioral indicators, including open rate, click rate, data submission rate, and response time. The results show that while most users did not engage in risky actions, a small proportion proceeded to critical interaction stages, such as clicking malicious links and submitting credentials. Notably, interactions involving users with critical access accounts, although limited in number, represent a disproportionate risk due to their potential impact on organizational security. The analysis of response time indicates that a significant portion of clicks occurred shortly after email receipt, suggesting a tendency toward rapid decision-making without sufficient verification, particularly in messages emphasizing operational urgency. The findings highlight the importance of risk-based mitigation strategies and demonstrate that phishing simulations should be positioned not only as measurement tools but also as part of a continuous improvement cycle integrating targeted security awareness interventions, user segmentation, and scenario variation to strengthen organizational resilience against phishing threats.]]>
