a few tactics that could be used to help shift the employees perspective from reactive to proactive in regard to security would start by sending out unexpected phishing emails that are tests for the entire company. This is something my previous company actually did, they would send out random emails every few months with no heads up so they were able to not only show how easy it is to receive an email that could be malicious and how crucial it is to verify that email prior to clicking any links but also to take note of what employees fell for the test phishing email and set up a required training for all of those employees to join as a way to better educate them. I think another tactic would be to make the trainings mandatory but not repetitive. From an employees perspective, if you are required to take the same training annually or biannually, it loses its purpose and meaning. Customizing could be relating the trainings more to each team or department rather than simply the entire company or this could be updating the way the trainings are run each time; I think this would leave room for creativity to come through which will help leave a mark. I think that customizing the trainings so that each time the employees can be engaged and leave the training having learned something rather than zoning out the whole time." Answer in a paragraph form. What would you do differently? What additional recommendations would you have for the solution they provided