Security awareness is, and will remain, a critical part of any security programme. But are companies making the wisest investment of time and money in this area? Legal and professional services firms could be losing thousands of pounds in billable revenue opportunities as their staff do ineffective training…
We know that technical security defences can never promise to be 100% effective, whilst threats continue to evolve and often target the human user. People really are the last line of defence – and they need to be ‘security aware’.
Our concern is that current approaches to deliver this awareness simply aren’t as effective as they need to be. A study by the ISF and quoted by Ciaran Martin, Director of the NCSC, noted that only 15% of users subject to traditional training actually change their behaviours. Other recent research has shown that only 20% of organisations have security awareness training at all. There are likely many reasons for this, but among them are the cost and distraction from day-to-day work that security awareness can be perceived to be.
Whilst many security professionals eat live and breath all things security, it is not the primary task for the vast majority in most organisations. Indeed, in many businesses, staff time is money and any time spent training, no matter how important that training is, has a direct cost.
Let’s, therefore, consider the question: how effective do we need security awareness to be for it to provide an acceptable return on investment – or, for the purposes of this blog, Return on Awareness (ROA)?
Starting with the investment:
Next, let’s look at the return:
Our firm has therefore spent £150k to save £15k (a net loss of £135k): hardly a great return, or ROA.
It’s clear that there are two ways to improve on this position: either reduce the impact training has on lost time or make the training itself more effective. But is this possible?
What if, rather than taking an hour away from billable work, short snippets of awareness were spread across a range of user interactions throughout the year – including being delivered at point of risk (i.e. as and when potentially insecure actions are underway). And what if this approach was more effective and therefore reduced the likelihood and annualised cost of incidents?
Let’s assume for a moment that training can be delivered with negligible impact on billable revenue, and that its effectiveness can be raised from 15% to 50%:
Our firm has now spent £25k to save £50k (a net gain of £25k): a much healthier return and overall ROA improvement compared to our first scenario of £160k.
But how can we possibly justify this ‘do less, gain more’ outcome? To get a sense of why this is possible, consider just two examples of the many aspects of behavioural and learning science that can be employed:
So, what are we trying to achieve through security awareness? We’ve noted before that we shouldn’t be trying to turn our users into security experts. Our ideal is to deliver the right content, to the right people, at the right time. And the time is ‘at the point of risk’.
At ThinkCyber our focus is on delivering small snippets, tweet sized chunks, of content, at exactly the point when the user needs to be aware. Real-time ‘nudges’ to take secure decisions when employees interact with a range of threat vectors such as emails, hyperlinks, USBs, social media etc.
Clearly the numbers above are based on averages and approximation and training may, of course, be squeezed in out of hours, reducing impact on billing although not on staff. But it is clear that by applying enhanced techniques in place of ineffective training, we can both save staff time, reduce the cost impact of security incidents and generate a positive Return on Awareness.
Original ROI image copyright ivelinradkov / 123RF Stock Photo