Simulated phishing campaigns are widely deployed, yet the behavioral data they produce is endogenous: because training is triggered by clicking, the employees receiving intervention have already demonstrated susceptibility. This endogeneity, combined with the difficulty of separating genuine habit formation from stable individual differences, means standard analyses can mischaracterize program effectiveness. In this Research Note, we develop a generalizable analytic framework addressing both biases simultaneously. We utilize marginal structural models (MSMs) to correct for the endogenous, click-triggered assignment of training, while integrating correlated random effects (CRE) to disentangle true state dependence from stable employee heterogeneity. Applying the MSM+CRE estimator to logs from 17 campaigns delivered to university staff (192,840 observations) reveals that analyses ignoring stable differences overstate the causal persistence of clicking; most repeat clicking reflects who employees are, not the effect of recent failures. This persistence is context-dependent, amplifying when successive campaigns share persuasion cues. Teachable-moment features also matter: emotion framing and explicit reporting pitches can largely eliminate persistence, while annotated-email cues modestly exacerbate it. Finally, employees engaging with the education page exhibit greater persistence than those dismissing it, consistent with an emboldening mechanism. We contribute methodologically by integrating MSMs and CRE into a portable framework for analyzing standard simulation logs, and practically by identifying specific design levers so organizations can better sequence and evaluate their phishing programs.

翻译：模拟钓鱼攻击活动被广泛部署，但其产生的行为数据具有内生性：由于培训由点击行为触发，接受干预的员工已表现出易受攻击性。这种内生性，加上难以区分真实的习惯形成与稳定的个体差异，意味着标准分析可能误判项目有效性。在本研究报告中，我们开发了一个可推广的分析框架，同时解决这两种偏差。我们利用边际结构模型（MSMs）来校正由点击触发的培训分配的内生性问题，同时整合相关随机效应（CRE）以区分真实的状态依赖与稳定的员工异质性。将MSM+CRE估计量应用于针对大学员工开展的17次活动日志（192,840个观测值）显示：忽略稳定差异的分析会高估点击行为的因果持续性；大多数重复点击反映的是员工固有特质，而非近期失败经历的影响。这种持续性具有情境依赖性，当连续活动共享说服线索时会增强。可教育时刻的特征也很重要：情绪框架和明确报告引导能大幅消除持续性，而带注释的邮件线索会轻微加剧持续性。最后，参与教育页面的员工比直接关闭页面的员工表现出更强的持续性，这与激励强化机制相符。我们在方法论上贡献在于将MSMs与CRE整合为可移植的标准化模拟日志分析框架，在实践层面则通过识别具体设计杠杆，帮助组织机构更好地规划与评估其钓鱼攻击防范项目。