Following the launch of a program aimed at equipping employees with skills to thwart social engineering attempts, the information security manager is keen on assessing its efficacy. Which method would yield the most authentic measure of the program's success?