Information security is a complex topic, and people who make their living in this space have their hands full keeping up with the rapidly changing landscape of threats, vulnerabilities, exploits, and technologies.

Even so, I would suggest that there are just four basic questions about risk that all information security professionals should be capable of addressing, in their dual roles as subject matter experts and trusted advisors to the business decision-makers. Yes, you need to keep up with the technical details, but the purpose for doing this is so you can help your organization make better-informed business decisions.

Being able to address these four basic questions about risk will help you to do that. Here they are, using phishing attacks as a specific example:

  • What is the risk of a single phishing attack?
  • What is the annualized risk of phishing attacks, in the context of a particular organization?
  • How does an incremental investment in a specific capability — such as security awareness trainingquantifiably reduce that risk?
  • When more than one incremental investment to address the risk of phishing attacks is being considered, how does the value of one compare to that of the other?

It wouldn’t be fair for me to raise these questions, and not provide an example for how to address them. Many of us have heard the exasperation of the business decision-makers loudly and clearly, when they say things like, “Don’t just bring me problems – bring me solutions!”

So here we go:

  • For the private sector as a whole, based on the lost productivity of 10K users and a data breach of 100K to 1M records, Aberdeen’s simple Monte Carlo analysis estimates the median cost of a single phishing attack as about $136K, with an 80% confidence interval of $8K to $544K.
  • In a straightforward extension to this analysis, Aberdeen’s Monte Carlo model estimates the median annual business impact of phishing attacks in this scenario as just under $1M, with an 80% confidence interval of $0 to a “long tail” of $38M.
  • In a second straightforward extension to its this analysis, Aberdeen’s Monte Carlo model quantifies the value of security awareness training for reducing the annualized risk of phishing attacks: a median reduction in risk of about 50%; a median annual return on investment of about 5-times; and a reduction in the “long tail” of risk from phishing attacks of more than 2.5 times.

As always, the role of the information security professional is to identify and assess risks properly — in terms of both likelihood, and business impact — and to communicate effectively about these risks with the business decision-makers they are trying to advise. We advise and recommend; they decide.

Aberdeen’s Monte Carlo models have been implemented using standard functionality of Microsoft Excel, and include simple drop-down menus to enable personalization by industry, number of employees, and number of records. A snapshot of Aberdeen’s analysis for each of 10 industries is also available in a series of industry-specific Knowledge Briefs and Smart Bites.

For additional information about how to address these fundamental questions, read the full report!