wombatsecurity | August 26, 2015

New Research from Ponemon Institute and Wombat Security Finds Security Education Saves Companies Millions of Dollars Annually

  • Majority of Phishing Costs are due to Loss of Employee Productivity and Uncontained Credential Compromises
  • Wombat Employee Training Improves Phishing Defense by 64%, Delivers 50X ROI According to Independently Conducted Ponemon Study

Pittsburgh, PA –August 26, 2015 – Wombat Security Technologies (Wombat) and Ponemon Institute today published a new research report on the Cost of Phishing and Value of Employee Training, which found that employee training significantly reduces the financial consequences of phishing in the workplace.

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity and uncontained credential compromise, among other factors, which together cost an average sized company $3.77 million per year.

In proof-of-concept studies involving large companies, Ponemon Institute found that the phishing email click rate improved an average of 64% following Wombat’s security training program. This improvement represents the behavior change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimates a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determined a very substantial net benefit of $184.7 per user – for a remarkable annual rate of return on investment of 50X.

“In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks. This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “As the threat landscape continues to intensify and phishing tactics become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack.”

Other key findings:

  • The average total cost for an average company to contain malware is $1.9 million per year. Uncontained malware costs an average sized company as much as $105.9 million.
  • The cost of business disruption due to phishing is $66.9 million.
  • Employees waste an average of 4.16 hours annually due to phishing scams.
  • The average annual cost to contain a credential compromise that originated from a successful phishing attack is $381,920.  Uncontained credential compromise could cost a company as much as $105.9 million.

“This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption,” said Joe Ferrara, President and CEO of Wombat Security Technologies. “This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization.”

Recent awards and recognition for Wombat include winning two Info Security Products Guide Awards, winning the Cyber Defense Innovator Award, being named one of the 20 Most Promising Enterprise Security Companies in 2015, winner of the 2015 Pennsylvania Governor's Impact Awards and being designated one of the hot 500 Cybersecurity Companies to Watch in 2015.

Research Methodology

To determine the cost structure of phishing, Ponemon Institute surveyed 377 IT and IT security practitioners in the United States. Thirty-nine percent of respondents were from organizations with 1,000 or more employees who have access to corporate email systems.

For security officers who want to build a business case for security awareness training using proven ROI data, please download your copy of, ’The Cost of Phishing and Value of Employee Training.’

About Ponemon Institute

Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.
About Wombat Security Technologies

Wombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS-based cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat is helping Fortune 1000 and Global 2000 customers in industry segments such as finance, technology, banking, higher education, retail, and consumer packaged goods to strengthen their cyber security defenses.


Amy Baker
412-621-1484 x 115