Most phishing messages come from cybercriminals, but a few are probably being sent by your information technology department to test how susceptible the organization is to malware attacks and phishing scams. Increasingly, IT departments are turning to in-house experiments of this kind to identify weaknesses in their technology systems and to educate users on the risks of infiltration. The use of experiments to assess vulnerabilities extends far beyond information security. For instance, to test the efficacy of airport security measures, the Transportation Security Administration “Red Team” now regularly conducts experiments in which it seeks to take banned items through airport security and customs checks. The results of these tests have proved sobering: airport screening often fails to catch more than half the banned items, demonstrating that changes in training and procedures are necessary to enhance security. Compliance programs are meant to reduce a wide variety of socially harmful conduct, from drug trafficking, money laundering, and public corruption to dangerous consumer products and dangerous working conditions. Devoting substantial resources to compliance provides no guarantee of compliance effectiveness. Implementing a compliance program without proof it works constitutes nothing more than a hope that the measures will protect workers, investors, and the general public from organizational misconduct. That hope is likely to go unfulfilled, at a tremendous monetary and opportunity cost in many cases.