Is Anti-Phishing Training Effective at Reducing Risk?

January 23, 2019  Isaiah McGowan

Here at RiskLens, one of our passions is quantifying (in dollars and cents) things that some say cannot be quantified. This is the third in a series of posts exploring examples of quantified risks.

What we covered so far

At the beginning of this series, we covered elements of quantification and explained who is involved in quantifying risk. We looked at the  ROI of database tokenization and the  ROI of encryption-at-rest. Both were clear-cut decisions. Next, we will discuss a multi-option ROI comparison.

Key value principles

In assessing a new security measure, it is important to understand the roles of security practitioners and of controls.

  • The value of information security practitioners is in their ability to affect exposure to loss.
  • The value of any control is its ability to affect either the frequency or magnitude of loss events.

Following these principles, a Fortune 100 healthcare company used RiskLens to measure the value of anti-phishing training. The goal of the analysis was to assess the relevance and efficacy of the control and to make a FAIR-based decision on how to treat the risk.

Supporting CISO decisions

The CISO of the company had a choice to make:

  •  spend more on training users regarding phishing behavior, or
  •  invest in an email sandboxing technology.

Using RiskLens, the company was able to measure the current loss exposure to email phishing attacks. Then, they were able to measure the reduction of risk that the company would have after executing additional anti-phishing training initiatives.

The results of the analysis supported choosing an alternative, more effective, risk mitigation initiative.