Quick! Suppose that the C-level executives or board members in your organization ask you to answer the following question: What is our risk from a phishing attack?

A question like this really shouldn’t come as a surprise. After all, in their dual roles as subject matter experts and trusted advisors, there are two fundamental questions that every modern information security professional should be expected to answer, day in and day out:

  • What is the risk of [fill in the blank – e.g., with “a phishing attack”]?
  • How does an investment in [fill in the blank – e.g., with “user awareness and training” or some other countermeasure or control] quantifiably reduce that risk?

With respect to phishing attacks, it’s not very difficult to find credible sources of interesting and relevant information, such as:

  • What they are
  • How they work, in significant technical detail
  • What resources they target
  • Who is executing them, and why
  • How executing them is becoming even easier
  • Examples of organizations that have been affected
  • Detailed statistics and technical information about the latest trends

The problem is that the question being asked is not about the “who, what, where, when, why, and how” — it’s about the “how likely?” and the “so what?”

On the likelihood side of the risk equation, the Wombat Security Technologies 2016 State of the Phish report found that 85% of organizations experienced at least one phishing attack. It also reported the click rates — that is, the percentage of users that fell victim to phishing attacks — for 10 different industry segments, which ranges from 8% to 24%.

On the business impact side of the risk equation, the Wombat Security report also identified three factors as the sources of the greatest business impact that results from phishing attacks:

  • The cost of stolen information (i.e., as a result of a data breach)
  • The lost productivity of users (e.g., as a result of the time to respond, remediate, and recover from phishing-based malware infections or account compromises)
  • The cost of damaged reputation (e.g., from negative publicity that results from the public disclosure of the organization falling victim to a phishing attack)

Using simple estimates informed by these findings, Aberdeen Group’s Monte Carlo analysis models the risk of a phishing attack in the private sector (across all industries) – for an organization with 10,000 users as follows:

  • The median cost of a single phishing attack is about $136,000, based on a data breach of 100,000 to 1,000,000 records
  • Over a 12-month period, there’s a 90% likelihood that a single phishing attack will cost more than $8,000
  • Over a 12-month period, there’s a 10% likelihood that a single phishing attack will cost more than $544,000

The same information is presented visually, in two different but consistent ways, in the following graphic:


Why is this approach a much better way to answer the question that you were asked?

First, it expresses the risk of a phishing attack properly, in terms of:

  • Both likelihood and business impact
  • The inherent uncertainties

Second, it speaks to the business decision-makers in the language of risk that they already understand…as opposed to using low-level technical details of threats, vulnerabilities, exploits, and technologies that are too often ineffective.

To learn more about how to do this – it isn’t as hard as you may think – I encourage you to read the full report