Quantifying the Risk of a Phishing Attack

Aberdeen’s Monte Carlo analysis quantifies the risk of a phishing attack, in the language of risk that business decision-makers know and understand.

By Helping Your Users Know Better – They Actually Do Better

In a previous study, Aberdeen’s Monte Carlo analysis quantified the positive impact of helping an organisation’s users change their computing behaviours, by making investments in user awareness and training. Specifically, such investments were found to reduce security-related risks associated with user behaviours by 60%.

The CEO Wants to Know: What’s the Risk of a Phish?

If a C-level executive or board member want to know the risk of a phish it is easy to find credible information about phishing attacks, such as:

• What they are
• How they work, in technical detail
• What resources they target
• Who is executing them, and why
• How executing them is becoming even easier
• Examples of organisation that have been affected
• Statistics and technical information about the latest trends

However, this information tells business decision-makers nothing about the risk of an attack – which must be described in terms of likelihood and business impact.

Quantifying the Risk: Not as Difficult as You May Think

The first half of understanding the risk of a phishing attack is to estimate the likelihood that one may occur. As an estimate, the Wombat Security Technologies 2016 State of the Phish (SOTP) report found that 85% of organisations experienced at least one phishing attack. In addition the Wombat 2016 SOTP reported the click rates – i.e. the percentage of users that fell victim to phishing attacks, as summarised in Table 1

Factoring the Business Impact of a Phish

The second half of understanding the risk of a phishing attack is to estimate the business impact if one actually does occur.

In the Wombat 2016 SOTP, three factors were identified as the sources of the greatest business impact that results from phishing attacks:

• The cost of stolen information
• The lost productivity of users
• The cost of damaged reputation

Aberdeen has updated its Monte Carlo analysis from The Last Mile in IT Security: Changing User Behaviors to model the cost of lost user productivity based on the following simple estimates, for a given number of users:

• The percentage of users clicking on a phish
• The percentage of phishing attacks requiring responses, remediation and recovery
• The number of hours required to respond, remediate and recover
• The fully loaded cost per user per year
• The percentage of user productivity truly lost

Doing the Math, Using Monte Carlo Analysis

To quantify the risk of a phish, Aberdeen created a simple Monte Carlo model based on the handful of variables described above. In the calculations of likelihood and business impact, each variable is represented by a range and probability distribution that reflects the best available information about the problem at hand.

In a Monte Carlo model, the calculations are then done based on a randomly selected value from the probability distribution for each variable, over many independent iterations. The model provides security professionals with exactly what they need to answer the fundamental question about the risk of a phish.

Quantifying the Risk of a Phishing Attack

For example, in the private sector for an organisation with 10,000 users:

• The median cost of a single phishing attack is about $136,000 based on a data breach of 100,000 to 1,000,000 records
• Over a 12-month period there is a 90% likelihood that a single phishing attack will cost more than $8,000
• Over a 12-month period there is a 10% likelihood that a single phishing attack will cost more than $544,000

In Figure 1 below the same information is presented visually, in two different but consistent ways.

Additional Insights about the Risk of a Phishing Attack, by Industry and Size of an Organisation

Aberdeen’s Monte Carlo model has been implemented using standard functionality of Microsoft Excel and includes simple drop-down menus for industry, number of employees, and number of records. The risk of a phish in the private sector is summarised in Figure 2 below.

Summary and Key Takeaways

• Aberdeen’s Monte Carlo analysis quantified the positive impact of helping an organisation’s users make their computing behaviours more secure by investing in user awareness and training.
• Specifically, such investments were found to reduce security-related risks associated with user behaviours by 60%.
• Risk must always be described in terms of the likelihood that it may occur and the business impact if it does occur.
• On the likelihood side of the risk equation the Wombat Security Technologies 2016 State of the Phish (SOTP) report found that 85% of organisations experienced at least one phishing attack. In addition the Wombat 2016 SOTP reported the click rates – i.e. the percentage of users that fell victim to phishing attacks.
• On the business impact side of the risk equation the Wombat Security Technologies 2016 State of the Phish (SOTP) report identifies three sources of the greatest business impact that results from phishing attacks:
• The cost of stolen information
• The lost productivity of users
• The cost of damaged reputation
• To quantify the risk of a phish, Aberdeen created a simple Monte Carlo model, which leverages the results of previous research in these areas.
• What’s the risk of a phish? In the private sector, for an organisation with 10,000 users:
• The median cost of a single phishing attack is about $136,000 based on a data breach of 100,000 to 1,000,000 records
• Over a 12-month period there is a 90% likelihood that a single phishing attack will cost more than $8,000
• Over a 12-month period there is a 10% likelihood that a single phishing attack will cost more than $544,000
• A snapshot of the analysis for the risk of a phish for each industry is also available from aberdeen.com.

AFTERWORD

Aberdeen Group has been an international research partner of Nebula since 2010.  With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.

Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.

Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za