This document discusses the use of phishing simulation exercises to train users on cybersecurity threats. It notes that email is the number one threat vector, with 99% of hackers relying on users to run malicious code. It recommends using tools that simulate phishing attacks to train users on tactics, techniques, and procedures used by criminals. The goal is to make users aware that they are targets and to strengthen an organization's cyber defenses by improving user awareness and behavior.