Return on investment
Return On Investment (ROI)
ROI (return on investment) is the bedrock of most organisations.
How much are we spending? How much are we earning? Where can we maximise production, cut costs, and increase profits?
It's a theme that is implicit, if not explicit, in almost every meeting that takes place in an organisation.
Reducing risk and where to start.
It is widely accepted within the infosec community that as much over 90% of successful cyber breaches started with a phishing attack, so it makes sense both rationally and financially to start mitigating that threat as a priority.
Increasing the awareness and, thus, reducing the propensity of your colleagues to click and open potentially malicious emails, is likely to be the most cost-effective data and information security protection measure you can take.
It is almost impossible to eliminate risk, we can only reduce it. Being secure means you have an acceptable level of risk relative to the threats you are facing. This SANS “bell curve” diagram shows the optimum budget sweet-spot in security awareness training.
Visualising ROI
The X axis represents the amount of effort you put in securing end users. The more time, resources and effort you invest the more security aware they are. On the far left is where most employees are today, totally unaware and insecure. This is not because they are stupid, this is because no one has taken the time to train them. On the far right is the security community, highly trained and aware. The Y axis measures your organization's return on investment. There is a sweet spot where you get the greatest return. Invest too little effort and your employees are still low hanging fruit (where most organisations are today). Invest too much and you are entering overkill. For some reason some people expect security awareness programs to turn end users into security experts. This is ridiculous. The goal is 'good enough'. The challenge with security awareness is determining what that 'good enough' is, where you get the greatest ROI. That is different for every organisation.
Security Awareness Blog, SANS.org
As mentioned at the beginning, the most important statistic that organisations, and especially IT departments, need to keep in mind is that phishing attacks cause as over 90% of security breaches. Prevent the breaches associated with email phishing campaigns, and you have a clear measure of value for money.
Following that principle the most effective thing, from a cyber-security and ROI perspective, that a company can do is invest in systems that can prevent and mitigate such attacks.
As most of the malware threats in phishing scam messages are in attachments or links to malicious and data-capturing spoof web site, it stands to reason that raising awareness and training your colleagues in spotting these would be one of the best places to start.
Malware is often spread via embedded code or in an email attachment which activates itself when the attachment is opened, and data is often leaked or stolen by the use of malicious and spoofed web sites.
Mindful of these common and effective approaches, the skill and awareness of your colleagues could make the difference between your organisation’s financial, commercial or personally sensitive data being stolen, your infrastructure being hacked or your systems disrupted.
All those compromises come with a high-price in terms of legal, reputational and financial loss. With the advent of new legislation such a the GDPR, these concerns are now even greater.
Definition of ROI
"Return on Investment (ROI) is a performance measure used to evaluate the efficiency of an investment"
In cyber data and information security, this is not measured as a concrete gain, but as a reduction in risk. The ROI for Security Awareness Training (SAT) can be broken down in three main components, which you can use all together or independently depending on your current requirements:
Do It Yourself (DIY)
How many man-hours are/would be needed to do Security Awareness Training in-house? Do you have the existing skill-set, the time and the budget. If, like most IT teams, you're already time-poor dealing with existing mundane tasks you simply won't have time to research, develop and deploy your own solution.
Loss of Productivity & Revenue
Employee downtime and IT staff man-hours to clense workstations and/or restoring from backups in case of data theft/Loss or ransomware encryption, and website e-commerce downtime caused by a security incident. Revenue loss per minute, per hour, or per day can be significant.
Loss of Reputation
How would your CEO feel reading about a data breach on the front page of their morning newspaper? Just think about the direct and indirect cost of having to deal with a security incident: customers, suppliers, and stakeholders. Difficult to quantify but significant.