Measure ROI of Phishing Awareness and Education Training

Written by

From industry to industry and country to country, phishing has become an epidemic so widespread that it recently prompted the U.S. Secretary of Homeland Security Jeh Johnson to proclaim it a primary threat to national security, saying: “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”

In fact, phishing has evolved into an industry in itself, with adversaries targeting companies by industry, department and employee, tailoring attacks accordingly to ensure phishing emails appear as authentic as possible. While employees are often considered the front line of protection, they’re also the individuals most likely to voluntarily turn over information, succumbing to attackers’ cunning and methodical techniques.

As a result, some of the world’s most devastating cyber-attacks against corporations, critical infrastructure and even the White House, all have one thing in common: they began with phishing.

A Strategic phishing approach begins with employee awareness training

Last year, John Podesta, the campaign chair for Hillary Clinton, had his personal Gmail account compromised, resulting in the leak of 50,000 emails that revealed the internal communications of the Democratic Party and the campaign.

Earlier in 2017, the County of Los Angeles announced it was the victim of a phishing attack in which 108 of its employees compromised their own email accounts, impacting more than 750,000 people, by unwittingly responding to a phishing email.

To combat the escalating risk of phishing to businesses worldwide, many companies have invested in employee awareness and training campaigns under the assumption that the human element is not just the first line of defense, but also the first target of attack. A recent report from Cybersecurity Ventures predicts that the employee awareness education and training market will reach $10 billion in 2027, a 900 percent increase from 2014.

While evidence proves that employee awareness training is effective, ambiguity exists around what tangible metrics can be used to prove just how valuable the training is.

Measuring effectiveness of employee awareness

Because of the increasingly advanced phishing techniques deployed by cyber-criminals, it’s imperative that companies implement employee awareness and training programs to prepare for the inevitable – a phishing message. When evaluating the effectiveness and ROI of an employee awareness training, organizations should consider three criteria to measure:

I. Frequency of Employee Engagement - The time individual employees spend watching tutorials and working through ‘gamified’ scenarios is an indication of the quality of the videos, their relevance to the employees and the employees’ commitment to ongoing education. Based on these factors, organizations can determine whether or not to continue the training as is, or pick a training session that is more suitable to the culture, acumen and demands of its employees.

II. User Performance - In order to measure the efficiency and ROI of the training exercises, organizations should consistently monitor user performance, looking for individual and organizational improvements with key security metrics such as:

  • Reduction in click rates
  • Increases in detection rates
  • Decreases in detection times

Monitoring provides the organization with insight into the employees that are cyber savvy and those that continue to put the network at risk. A low participation rate, most of the time, will not result in any improvements to key security metrics. This should lead to frontal training and even a hearing process to make the employee fully understand not only the importance of email security, but the consequences of a successful phishing attack that he or she can help prevent.

III. SOC Team - Employee Collaboration – A key question to ask when analyzing employee awareness training is whether or not trust has formed and greater collaboration exists between SOC teams and employees. Often times, companies that truly prioritize phishing mitigation awareness training benefit from a more -productive relationship between employees and security professionals. Because of this trust and collaboration, the chances of successful mitigation and remediation often increase during a breach.

While employees will always be the first line of defense after traditional defenses have been bypassed, organizations must recognize that the imperfection of people will always solidify humans as a primary vulnerability. In the end, however, recurring employee awareness campaigns, measured for effectiveness, efficiency and collaboration, can go a long way in helping to reduce the onslaught of phishing risk.

What’s hot on Infosecurity Magazine?