A new report reveals that two thirds of critical infrastructure employees report a real malicious email attack within first year of training.