<p>Organizations often shy away from including phishing in their security testing, primarily because it's difficult to get reliable statistics. However, by employing a tagging process, testers can map sent e-mails with received responses, and build useful reports. Additionally, this information can be used to develop knowledge of social roles in the organization, as well as for identifying useful targets.</p>