Security awareness is, and will remain, a critical part of any security programme. But are companies making the wisest investment of time and money in this area? Legal and professional services firms could be losing thousands of pounds in billable revenue opportunities as their staff do ineffective training…

Current approaches aren’t good enough

We know that technical security defences can never promise to be 100% effective, whilst threats continue to evolve and often target the human user. People really are the last line of defence – and they need to be ‘security aware’.

Our concern is that current approaches to deliver this awareness simply aren’t as effective as they need to be. A study by the ISF and quoted by Ciaran Martin, Director of the NCSC, noted that only 15% of users subject to traditional training actually change their behaviours. Other recent research has shown that only 20% of organisations have security awareness training at all. There are likely many reasons for this, but among them are the cost and distraction from day-to-day work that security awareness can be perceived to be.

Whilst many security professionals eat live and breath all things security, it is not the primary task for the vast majority in most organisations. Indeed, in many businesses, staff time is money and any time spent training, no matter how important that training is, has a direct cost.

Return on Awareness

Let’s, therefore, consider the question: how effective do we need security awareness to be for it to provide an acceptable return on investment – or, for the purposes of this blog, Return on Awareness (ROA)?

Starting with the investment:

  • Take a mid-size legal firm with 500 legal professionals and, say, 500 other staff.
  • First, assume purchase and administration costs for the security awareness training are £25k.
  • On top of this there is a significant cost in staff time. Average revenue per billable hour in the legal sector is £250 so an hour of training per year costs this firm more than £125k in lost billing.
  • This gives a total investment of £150k.

Next, let’s look at the return:

  • Drawing on data from the government’s Cyber Breaches Survey 2018, we can estimate the average annual cost of human related security incidents to our medium-sized organisation to be around the £100k mark.
  • We note that costs from data breaches, Business Email Compromise (BEC) or invoice fraud could be significantly higher than this – with the average BEC cost put at £50k and examples in the hundreds of thousands and millions. Further, dependent on the type of breach, the reputational cost to a legal or professional services firm could be catastrophic.
  • If we assume that training effectiveness has a proportional effect on the number of incidents, and therefore incident costs, 15% effectiveness reduces the £100k annual cost by £15k.

Our firm has therefore spent £150k to save £15k (a net loss of £135k): hardly a great return, or ROA.

Improving Return on Awareness: lowering impact and making it more effective

It’s clear that there are two ways to improve on this position: either reduce the impact training has on lost time or make the training itself more effective. But is this possible?

What if, rather than taking an hour away from billable work, short snippets of awareness were spread across a range of user interactions throughout the year – including being delivered at point of risk (i.e. as and when potentially insecure actions are underway). And what if this approach was more effective and therefore reduced the likelihood and annualised cost of incidents?

Let’s assume for a moment that training can be delivered with negligible impact on billable revenue, and that its effectiveness can be raised from 15% to 50%:

  • The investment remains £25k on training purchase and administration.
  • 50% effectiveness reduces the £100k annual incident costs by £50k.

Our firm has now spent £25k to save £50k (a net gain of £25k): a much healthier return and overall ROA improvement compared to our first scenario of £160k.

But how can we possibly justify this ‘do less, gain more’ outcome? To get a sense of why this is possible, consider just two examples of the many aspects of behavioural and learning science that can be employed:

  • Looking at how behaviour change works, the key ingredient that most security awareness lacks is any aspect of ‘prompting’ that change. Behaviour change requires effective prompts delivered at the right time.
  • Looking at how people learn most effectively, spacing is the simple concept that if you learn something today, again next week and again the week after you will retain more and for longer. Research has shown that even basic examples of spaced learning results in a 50% improvement in retention.

User centric security

So, what are we trying to achieve through security awareness? We’ve noted before that we shouldn’t be trying to turn our users into security experts. Our ideal is to deliver the right content, to the right people, at the right time. And the time is ‘at the point of risk’.

At ThinkCyber our focus is on delivering small snippets, tweet sized chunks, of content, at exactly the point when the user needs to be aware. Real-time ‘nudges’ to take secure decisions when employees interact with a range of threat vectors such as emails, hyperlinks, USBs, social media etc.

Clearly the numbers above are based on averages and approximation and training may, of course, be squeezed in out of hours, reducing impact on billing although not on staff. But it is clear that by applying enhanced techniques in place of ineffective training, we can both save staff time, reduce the cost impact of security incidents and generate a positive Return on Awareness.

Original ROI image copyright ivelinradkov / 123RF Stock Photo