In a recent report, Aberdeen’s Monte Carlo model extends its previous analysis of the risk of a single phishing attack, and quantifies the annualised risk of phishing attacks for 10 different industries. It also quantifies the value of investing in security awareness training.
There are four basic questions about risk that information security professionals should be capable of addressing:
- What is the risk of (fill in the blank, with some particular vulnerability or exploit – in this case, the risk of a phishing attack)?
- What is the annualised risk of (fill in the blank – in this case, phishing attacks), in the context of a given organisation?
- How does an incremental investment in (fill in the blank, with some particular solution – in this case security awareness training) quantifiably reduce that risk?
- How does an investment in (fill in the blank, with some particular solution) compare with an investment in (fill in the blank with an alternative) with respect to reducing that risk?
Recap: Quantifying the Risk of a Single Phishing Attack
In Quantifying the Risk of a Phishing Attack, Aberdeen used selected findings from the Wombat Security Technologies 2016 State of the Phish (SOTP) report as the basis for modelling the likelihood that a phishing attack will be attempted on an organisation, and the likelihood that it will succeed.
With regards to the business impact of phishing attacks, the Wombat 2016 SOTP identified the cost of stolen information (i.e. as a result of data breach) and lost productivity of users as having the greatest effect on businesses.
Putting It All Together: The Risk of a Single Phishing Attack
- The median cost of a single phishing attack is about $136, 000 based on a data breach of 100,000 to 1,000,000 records
- Over a 12-month period there is a 90% likelihood that a single phishing attack will cost more than $8,000
- Over a 12-month period there is a 10% likelihood that a single phishing attack will cost more than $544,000
Extending the Analysis: The Annualised Risk of Phishing Attacks
To quantify the annualised risk of phishing attacks requires estimates for one additional variable: if an organisation experiences at least one phishing attack over a 12 month period, what is the total number of attacks per year?
Aberdeen has extended its Monte Carlo model using a probability distribution for this additional variable with a lower bound of one (phishing attack yearly), an upper bound of 365 (phishing attacks daily) and a median value of 12 (phishing attacks occurring monthly). See Figure 1 below:
The Updated Result: The Annualised Risk of Phishing Attacks
For the private sector as a whole the annualised risk is as follows:
- The median annual business impact of phishing attacks under the status quo is just under $1,000,000, based on the lost productivity of 10,000 users and a data breach of 100,000 to 1,000,000 records
- Over a 12-month period, there is a 90% likelihood that phishing attacks will cost more than $0 and a 10% likelihood that phishing attacks will cost more than $38,000,000
Taking the Next Step: Quantifying the Value of Security Awareness Training in Reducing the Risk of Phishing Attacks
The second natural extension to Aberdeen’s model is to quantify the value of security awareness training. This requires estimates for two additional variables:
- The reduction in click rates as a result of training
- The annual cost per user for security awareness training
The Updated Result: Quantifying the Value of Security Awareness Training in Reducing the Annualised Risk of Phishing Attacks
Aberdeen’s Monte Carlo model quantifies the value of investing in security awareness training to reduce the annualised risk of phishing attacks (for the private sector as a whole):
- A median reduction in risk of about 50%
- About 0 times median annual return on investment
- A reduction in the “long tail” of risk from phishing attacks of more than 5 times
The role of the information security professional is to identify and assess risks properly – in terms of likelihood and business impact – and to communicate effectively about these risks with the business decision-makers they are trying to advise.
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.
Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za