You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this...is this really necessary" when you slide that line item into next year's budget.
So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach?
Getting signoff for a security awareness training program that actually works can be much harder.
But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.
Look at the Downside
At the heart of it, security awareness training is a spend-to-save initiative. Everybody knows it’s going to cost money to develop and implement. To offset that cost, the program will hopefully reduce costs associated with incident response, breaches, and so on. In a perfect world, this cost reduction will more than make up for the initial and ongoing investment.
But there’s a problem. In many cases, it’s difficult for organizations to calculate how much poor security behaviors are currently costing them. They may know the total cost of incident response and breaches, but narrowing that down to specific causes can be tricky.
But fear not. Our phishing susceptibility calculator makes estimating the annual cost of phishing to your organization a simple task. Sure, there are other factors to consider, but phishing accounts for a huge proportion of user-caused breaches.
The calculator uses the size of your organization to estimate both incident response and breach costs, making the results far more usable than generic industry averages.
In order to make full use of the calculator, though, one more metric will be needed…
What are the Chances?
Once you know how much individual incidents cost, the next step is to estimate the number of incidents likely to take place each year. For that, you’ll need an idea of your current ‘susceptibility rate’ – The frequency with which your users fall for phishing scams.
But here’s the thing. Your program hasn’t started yet, so how can you reliably calculate susceptibility?
The easiest method is to assume your users are somewhere around the average. According to Verizon, 30 percent of phishing emails are opened, and 12 percent go on to click malicious links or attachments.
By those figures, an estimated susceptibility rate of 12 percent seems a logical place to start.
And now that you have both the costs of poor security behaviors and your susceptibility rate, using the calculator to produce an approximate annual cost is simple. Even better, calculating potential savings is just as easy.
First, make a note of your predicted annual costs at your existing susceptibility rate. Next, enter your target susceptibility rate into the calculator and subtract the newly calculated cost figure from the original figure.
That’s it. Easy, right?
But there’s one more thing to consider when producing your business case: Measurement.
Minimize (and Track) Failures
A big part of any business case is demonstrating an ability to measure and track results. Any business case that fails to do this will almost certainly fail, especially if it’s for a ‘non-essential’ program like security awareness training.
In reality, though, it’s not just about obtaining signoff. In our opinion, any security awareness training program that doesn’t include an element of tracking is inherently flawed. After all, how can you tell whether your program is effective if you have no objective way to measure success?
Thankfully, if you construct your program with measurement in mind, this aspect of your business case should be no problem. You simply need a way to track your users’ security behaviors before implementation, and periodically from then on.
Now of course there are dozens of ways to do this. You could design tests and track users’ scores, or even use real internal breach cost stats to track improvement. Our favorite method, though, is to test your users in precisely the way threat actors will.
Let’s use phishing as an example. In this case, you’re hoping your security awareness training program will reduce the number of times users’ click on malicious links. Now sure, you could wait and see how often you get breached as a result of poorly judged clicks, but that doesn’t seem an ideal solution.
Instead, you could create your own pseudo-phishing campaigns that look just like the real thing, but present no risk. Now you’re free to send and measure the effectiveness of these campaigns as often as you like, and over time you’ll see what impact your training program has on click rates. Clearly if there’s no change your program needs some work, but it’s far more likely that you’ll see distinct improvements.
Think Defense, Not Awareness
So far in this article we’ve neglected a hugely important point. Nobody actually cares about awareness… what they want is a change in user behaviors.
Just because the measures mandated by compliance frameworks are laughably inadequate, doesn’t mean we should all model our training programs on them. Yes, your users will need to acknowledge understanding of your security policy, and yes, you’ll need to deliver some form of training at least annually.
Beyond this, though, you should feel free to move as far away from the expected norm as possible. Rather than security awareness, we like to think of it as employee defense training – Training that helps users improve the security of their organization instead of endangering it.
This is gold when it comes to seeking signoff for investment. If you set out to develop a proactive security training program that includes a comprehensive tracking and reporting element, your business plan becomes exponentially stronger.
If you’d like to learn more about our approach to reducing risk through user training, we’d love to hear from you. Request a demonstration of our Employee Defense Training service today.