How can you ever get that lower than 100% if you don't do the test to identify which employees need to be trained / monitored because they fall for phishing?