Running an effective phishing test at work can be the difference between an employee who clicks on malicious links or attachments and one who reports them.

In fact, real-time phishing simulations have proven to double employee awareness retention rates, and yield a near 40% ROI, versus more traditional cybersecurity training tactics, according to a study conducted by the Ponemon Institute.

[Read: Every phishing statistic you need to know to prepare your organization.]

But taking your organization’s weakest cybersecurity link—its employees—and turning them into a point of strength isn’t easy and won’t happen overnight. You’ll need to have patience, perseverance, and a willingness to teach instead of tell. A phishing test (or phishing simulation) is great way to increase employee engagement with security initiatives—and provide employees with a tangible, real-life scenario to improve their security behavior.