Wombat’s Anti-Phishing Education Delivers 50x ROI in New Ponemon Study

We often hear that the problem with security awareness and training is that it’s difficult to determine ROI. Well, the Ponemon Institute has gone and done the math for you, and the results are impressive to say the least. In its new independent study, The Cost of Phishing and Value of Employee Training, Ponemon has shown that average-sized organization can expect a 50x one-year rate of return on Wombat Security’s anti-phishing awareness and training programs.

Turns out that you can generate millions in yearly savings for about the same amount it would cost you to buy each of your employees a mochaccino.

The study, which was sponsored by Wombat, focused on the financial implications of successful phishing attacks from the wild and compared that to the potential cost reductions associated with our Continuous Training Methodology, which combines assessments and interactive education and is delivered regularly throughout the calendar year.

A Look Behind the Curtain

To establish the costs related to phishing, Ponemon surveyed 377 IT and IT security practitioners throughout the United States. Headcounts in the participating organizations ranged from less than 100 to more than 75,000, with the largest segment of respondents (39%) belonging to an organization with 1,000 or more email users. Based on these numbers, the study defines an “average-sized organization” as one with “a headcount of 9,552 individuals with user access to corporate email systems.”

In calculating the potential losses to organizations whose employees fall victim to successful attacks, Ponemon included costs related to the following factors:

• Malware containment, including hours associated with six discrete organizational tasks: planning, capturing intelligence, evaluating intelligence, investigating, cleaning/fixing, and documenting
• Malware not contained at the device level and subsequently weaponized for attack
• Lost productivity, including hours spent by employees in viewing and possibly responding to phishing emails
• Technical efforts — including investigation and response times — associated with containing credential compromises such as theft of cryptographic keys and certificates
• Uncontained credential compromises that subsequently result in losses related to data exfiltration and disruptions to IT and business processes

Results: The Cost of Phishing

In extrapolating all the associated financial factors, Ponemon determined that average-sized organizations are likely to face total annual costs of $3.77 million (USD) from phishing attacks.

In what may come as a surprise to CISOs and CSOs, the study indicates that most of the financial impact (48%) felt from phishing scams is caused by lost employee productivity. This $1.8 million hit is nearly twice that of the next loss leader, the costs related to uncontained credential compromises (27%/$1 million), and — monetarily — almost an order of magnitude greater than the cost of malware containment (6%/$208,000).

Results: The Value of Training

CISOs and CSOs who have resisted using security and awareness and training to combat the financial impact of malicious emails might again be surprised by Ponemon’s findings related to ROI and Wombat’s unique approach to anti-phishing education.

Six proof of concept studies completed for six separate organizations were used as the basis for Ponemon’s analysis of training effectiveness and its link to financial metrics. During the proof of concept periods, the organizations delivered components of our Anti-Phishing Training Suite: PhishGuru® simulated attacks were used to assess vulnerability levels, and interactive training modules provided follow-up education about the hallmarks and dangers associated with malicious messages.

Click-rate measurements taken during pre- and post-training mock attacks showed an average improvement of 64% for the six organizations. (The lowest level of improvement was 26%; the highest was 99%.)

According to the study, well-documented research has shown that the average retention rate of practical training is 75%; in applying that research to the six organization, Ponemon estimated the long-term improvement from Wombat’s anti-phishing training to be 48%. (Though we agree that there is likely to be some loss of knowledge over time, we actually find this to be a conservative estimate as our continuous approach to security education helps to improve retention and diminish the rate of knowledge loss.)

But let’s finally get to it — how it all ties to ROI:

• Remember that the total yearly cost of phishing was calculated at $3.77 million. A 48% overall improvement in employees’ handling of phishing attacks translates into a yearly cost savings of $1.80 million.
• Using the 9,552 average headcount, cost savings are $189.40 per employee/user per year.
• Comparing Wombat’s fee of $3.69/user (standard for programs with up to 10,000 users), Ponemon calculated an impressive net benefit of $185.70 per user — for 50x rate of return on a one-year investment.

More Math, More Proof of ROI

We concede that, depending on how you roll out your program, there could be a slightly different ROI based on a number of factors, including the time spent on education. Even so, regardless of how each organization rolled out our anti-phishing training, each proof of concept represented in the Ponemon report had a positive ROI, with the lowest rate of return coming in at a 7x (with a math credit to CSO Online’s Maria Korolov). 

Security practitioners will likely not expect this type of return for various types of security technology defenses, so it could surprise many organizations to see an average of 50x ROI from security awareness and training. Though it is interesting to imagine one mochaccino morphing into 50 mochaccinos, it’s much more satisfying to think of $4 turning into $200, isn’t it?