“Do or do not …there is no try.”

—Yoda in Star Wars Episode V: The Empire Strikes Back

Let's say you read the first four chapters and are saying, “Yep, I get it, and I 100 percent agree …now what?”

Believe it or not, I meet people like you every day. Companies who see what is happening in the world around us and realize there is a need for security. They understand that phishing, vishing, and social engineering are used in almost every attack, and they don't want to be the next statistic in the newspaper.

Many security professionals start with a quick Google search to find which vectors are being used the most. It doesn't take long to see that phishing is almost always at the top of the list. The next logical progression is to start searching for phishing education help.

One company might tell you, “Just use our templates and you will be amazed.” Another might say, “You must go super hard-core on your employees to scare them into shape.” Yet another might propose this wisdom: “If you embarrass and humiliate them, they will learn.” And a fourth company might suggest, “A balance between education and healthy fear is the best.”

How do you decide what to do? How do you decide what program can help you the best?

As mentioned in Chapter 4, Michele and I have sent—are you ready for this?—more than 3 million phishing e-mails in just the past year. With that many phishing e-mails under our belts, we have collected ...