This report by The Aberdeen Group shows our solutions for security awareness and training can reduce business risk and impact by up to 50%
In this report jointly-published by The Aberdeen Group:
- The leading driver for enterprise investments in security awareness and training for their users is to reduce cyber security risk related to user behaviors. This raises an important question: On what basis is the business decision to invest in security awareness and training being made?
- For the private sector, Aberdeen’s Monte Carlo analysis estimates the annualized business impact of phishing attacks – based on the lost productivity of 1K users and a data breach of 100k to 1M records – to be between $0 and $10M, with a median of about $250K.
- For the same scenario, an investment in security awareness training results in a median recution in the annualized risk of phishing attacks of about 50%, a median annual return on investment of about 5 times, and a reduction in the potentially catastrophic “long tail” of risk by about $6M.
- For the same scenario, Aberdeen’s Monte Caro analysis provides the additional insight that a modest investment in security awareness and training for all users (about $28K) has a 72% likelihood of a significant reduction in the business impact of phishing attacks (as high as $6M).
What this means for infosec professionals:
- Get buy-in for a security awareness and training program by showing a potential annual return on investment
- View the different likelihoods and financial implications of end user risks, and potential reductions in risk that can be achieved with our solutions for security awareness and training