Spearphishing, phishing, and poor password practices make up a significant portion of the attacks that successfully undermine enterprise security. Enterprises deploy a variety of technologies that attempt to protect the network, their intellectual property, and customer data. As security technologies improve, criminals increasingly attack the weakest link, the user. One of the crucial defenses against attacks targeting users, education, is largely ignored or underutilized. IT professionals have generally failed to employ appropriate educational practices and almost universally neglect the measurement of the results of education.