author photo
By George Finney, J.D.
Thu | Aug 27, 2015 | 1:08 AM PDT

The Cost of Phishing and Value of Employee Training, a new independent study conducted by the Ponemon Institute and sponsored by Wombat Security, has shown that average-sized organization can expect a 50x one-year rate of return on Wombat's anti-phishing awareness and training programs.

Ponemon's study focused on the financial implications of successful phishing attacks from the wild and compared that to the potential cost reductions associated with a multi-faceted employee awareness and education program that combines assessments and interactive education and is delivered regularly throughout the calendar year.

A look at the parameters

Ponemon surveyed 377 IT and IT security practitioners through the U.S. in an effort to establish the costs related to phishing. Headcounts in the participating organizations ranged from less than 100 to more than 75,000, with the largest segment of respondents (39%) belonging to an organization with 1,000 or more email users. For this study, Ponemon defined an "average-sized organization" as one with "a headcount of 9,552 individuals with user access to corporate email systems."

In calculating the potential losses to organizations whose employees fall victim to successful phishing attacks, Ponemon included costs related to the following factors:

  • Malware containment, including hours associated with six discrete organizational tasks: planning, capturing intelligence, evaluating intelligence, investigating, cleaning/fixing, and documenting
  • Malware not contained at the device level and subsequently weaponized for attack
  • Lost productivity, including hours spent by employees in viewing and possibly responding to phishing emails
  • Technical efforts—including investigation and response times—associated with containing credential compromises such as theft of cryptographic keys and certificates
  • Uncontained credential compromises that subsequently result in losses related to data exfiltration and disruptions to IT and business processes

Key findings: The cost of phishing

In considering all the financial factors associated with phishing attacks, Ponemon calculated that average-sized organizations are likely to face total annual costs of $3.77 million (USD) from phishing attacks.

In what may come as a surprise to CISOs and CSOs, Ponemon found that most of the financial impact (48%) felt from phishing scams is caused by lost employee productivity. This $1.8 million hit is nearly twice that of the next loss leader, the costs related to uncontained credential compromises (27%/$1 million), and—financially—almost an order of magnitude greater than the cost of malware containment (6%/$208,000).

Key findings: The value of training

With regard to using security and awareness and training as a tool to combat the financial impact of phishing scams, some CISOs and CSOs might again be surprised by Ponemon's findings related to ROI and Wombat Security's unique approach to anti-phishing education.

Ponemon used proof of concept studies completed for six separate organizations as the basis for its analysis. During the proof of concept periods, the organizations used simulated phishing attacks to assess vulnerability levels and interactive training modules to educate employees about the hallmarks and dangers associated with malicious email messages. Click-rate measurements taken during pre- and post-training mock attacks showed an average improvement of 64% for the six organizations.

According to the study, well-documented research has shown that the average retention rate of practical training is 75%; in applying that research to the six organization, Ponemon estimated the long-term improvement from Wombat's anti-phishing training to be 48%.

How does that tie to ROI? Ponemon explains:

  • Remember that the total yearly cost of phishing was calculated at $3.77 million. A 48% overall improvement in employees' handling of phishing attacks translates into a yearly cost savings of $1.80 million.
  • Using the 9,552 average headcount, cost savings are $189.40 per employee/user per year.
  • Comparing Wombat's fee of $3.69/user (standard for programs with up to 10,000 users), Ponemon calculated an impressive net benefit of $185.70 per user—for 50x rate of return on a one-year investment.
What it means for you

Wombat concedes that, depending on how you roll out your program, there could be a slightly different ROI based on a number of factors, including the time spent on education. Even so, they say, regardless of how each organization rolled out its Wombat anti-phishing training, each proof of concept represented in the report had a positive ROI, with the lowest rate of return coming in at a 7x (not too shabby). Security practitioners will likely not expect this type of return for various types of security technology defenses, so it could surprise many organizations to see a 50x ROI from security education.

To explore the Ponemon study in depth, download your copy by visiting the Wombat Security website. You can also hear Dr. Larry Ponemon, founder of the Ponemon Institute, and Wombat President and CEO Joe Ferrara discuss the phishing threat and benefits of education in the replay of the SecureWorld web conference, Security Awareness and Training on Steroids.