One of the services my personal company provides is getting the answers to those questions. The hiring company gives us a list of all its e-mail addresses. We craft a very spam-looking e-mail containing a malicious link and Web bug. We try to make the e-mail look as foreign and strange as possible, so it isn’t confused with company messages, but we also offer some sort of enticement (e.g., free game, genealogy software, or -- of course -- porn). We may even ask for the user’s corporate log-on name and password.
Then we record who responds. We automatically send back an internal link in another e-mail (this time more official-looking and linked to their company) that points to a custom-branded document made for the company that discusses Internet risks and common-sense computer security steps -- spot-on computer security education. Depending on the client, the offender may be invited to a morning or weekend computer class, the more inconvenient and boring the better.
We send the client a report on which e-mail addresses were the offenders, and calculate the percentage of takers on that first malicious e-mail. It is not usual for the initial conversion rate to be 60 percent. We then wait 30 days and test the original offenders again, and re-calculate the rate. It’s not usual for it to be low as 2 percent.
It's measurable computer security return for low or no cost. We have sold this client-side testing service to corporations large and small, financial companies, banks, and government consultants, but I'm not trying to get more business. With a little investment of time, anyone can do it. Are you?