wombatsecurity | January 13, 2015

New Research from Aberdeen Group and Wombat Security Confirms Security Awareness and Training Measurably Reduces Cyber Security Risk

Monte Carlo Analysis Reveals That Changing Employee Behavior Reduces the Risk of a Security Breach by 45% to 70%

Pittsburgh, PA –Jan. 13, 2015 Wombat Security Technologies (Wombat) and the Aberdeen Group (Aberdeen) have joined forces to develop and release new industry research titled, “The Last Mile in IT Security: Changing User Behavior.” This new study will help organizations quantify risks related to cyber security attacks and the dramatic reduction in risk they can realize by implementing security education. Based on the fact-based Monte Carlo analysis, this study shows that changing employee behavioral responses to cyber threats such as social media, phishing and other popular attack vectors can reduce an organization’s risk by as much as 70%.  Following a year of unprecedented cyber security breaches during which criminals often preyed upon the security naivety of employees, the new analysis by Aberdeen and Wombat clearly demonstrates the return for companies that invest in implementing an effective security awareness and training program.

While many companies have adopted an array of IT security technologies in an effort to reduce network, system, application and data security risks, less attention has been paid to perhaps the greatest evolving security threat: the end user. In spite of all of the technical controls deployed to prevent a breach, the root cause for many — if not most — reported security incidents are the errant actions of company employees. The new Wombat and Aberdeen research clearly demonstrates that investments in security awareness training can help businesses close this critical security gap.

Key takeaways from Aberdeen and Wombat’s, “The Last Mile in IT Security: Changing User Behaviors” include the following:

  • Significant investments in security technology are diluted when there is a lack of investment in security awareness and training
  • An investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%
  • Monte Carlo modeling can help security professionals frame better-informed decisions and become strategic advisors to C-level leaders and their companies

“It’s important for security teams to communicate clearly about the risks that organizations are accepting when their employees’ response to cyber threats is not addressed,” said Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company.  “While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behavior through innovative security education solutions actually reduce the organization’s risk?”

The new model by Aberdeen and Wombat was produced to address both the likelihood and the business impacts related to security infections that are a result of employee behavior, including the cost to respond to and recover from infections, as well as the cost of security awareness and training solutions themselves. The Monte Carlo model was used because it reflects the reality of making business decisions in the face of uncertainty, and can help to demonstrate the value of investments in security in terms of a reduction in risk.

The study reveals other key findings:

  • While traditional security controls are partially effective in protecting data and systems, they cannot be  100% effective at preventing infections
  • For an organization with $200M in annual revenue there is an 80% likelihood that infections from employee behavior will result in total costs of $2.5M per year under the status quo; and a 20% likelihood that the costs from errant employee behavior could exceed $8M
  • The data incorporated in the model (combined from industry sources, Aberdeen research and Wombat’s own data) conservatively quantifies the business impact of infections that result from employee behavior such as the cost to respond, remediate and recover from infections; the cost incurred from time of infection to response and recovery; and the cost of security awareness and training solutions
  • The research and findings can help security teams communicate more effectively with their business leaders about reductions in risk as opposed to merely the threat of attack

“Many security officers intuitively know that security education is an important line of defense against cyber crime, but they have trouble convincing senior management to spend the money necessary to execute an effective training program,” said Joe Ferrara, President and CEO of Wombat Security Technologies, provider of real-world data for, ‘The Last Mile in IT Security: Changing User Behavior.’ “Using the latest learning approaches that quantifiably change behavior, we are helping security officers overcome this obstacle by not only delivering award-winning security awareness training products, but also the risk analysis security officers need to build a compelling business case.”

Wombat has deep roots in the security awareness and training market and is a recognized authority, having recently been named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training, the Gold winner of the 2014 Global Excellence Awards in Tomorrow’s Technology Today for its Security Training Platform, and Bronze winner in the New Product category for its CyberStrength® knowledge assessment product. To learn more about Wombat’s Security Education solutions, visit www.wombatsecurity.com.

For security officers who want to build a business case for security awareness training using proven ROI data, please download your copy of, ’The Last Mile in IT Security: Changing User Behavior.’

About Aberdeen Group

Since 1988, Aberdeen Group has published research that helps businesses worldwide improve their performance. Aberdeen identifies Best-in-Class organizations by conducting primary research with industry practitioners, and its team of analysts derives fact-based, vendor-neutral insights from a proprietary analytical framework that is independent of outside influence. The resulting research content is used by hundreds of thousands of business professionals to drive smarter decision-making and improve business strategies. Aberdeen's content marketing solutions help B2B organizations take control of the Hidden Sales Cycle™ through content licensing, speaking engagements, custom research and content creation services. Located in Boston, Massachusetts, Aberdeen Group is a Harte Hanks Company.

About Wombat Security

Wombat Security Technologies is a leading provider of cyber security education solutions that positively change employee behavior and help organizations avoid cyber security attacks. The solutions help security officers to deliver and manage customized knowledge assessments, the largest offering of simulated attacks, a library of interactive training modules, and security awareness materials as well as detailed and executive level reports. The Company’s solutions can reduce malware infections and successful phishing attacks up to 90%. Wombat is helping medium to large enterprises around the world reduce their risks and strengthen their cyber security defenses. Wombat has customers in a wide range of industries, including finance, technology, banking, insurance, retail, and consumer packaged goods.