A recently introduced risk model has determined that investments in end-user training could help reduce an organization's security-related risk by as much as 60 percent.
The Aberdeen Group teamed up with Wombat Security Technologies to create a Monte Carlo model that would quantify how employees' online actions correlate with an enterprise's risk. The model, based off various studies, fixes the number of users at 1,000 and the annual revenue at $200 million. To determine the cost of awareness and training of users, Aberdeen used Wombat's current list price.
The model found that there is an 80 percent likelihood that infections from user behaviors will result in total costs of more than $2.5 million per year; however, investments in user training and awareness can reduce the cost to $1 million per year, or reduce the cost by 60 percent.
The dramatic decline in cost can be attributed to the efforts attackers make to target end-users. Whereas attackers previously focused on the infrastructure of a system, they are now honing in on users and making efforts to convince them that an attack is legitimate, said Joe Ferrara, president and CEO, Wombat Security Technologies, in a Wednesday interview with SCMagazine.com.
“Users are much easier to trick and attack,” he said. “A few clicks and keystrokes can completely circumvent the security infrastructure out there (in the enterprise).”
This shift in attack methods, the study suggested, could cause less of an impact through more intensive end-user training.