But not taking care of security is also a costly business: the recent fines of $5 billion applied to Facebook and $123 million to Marriott are just the tip of the iceberg. Even without fines to worry about, average annual costs from cyber-attacks are around $4.7 million, according to Willis Towers Watson. Added to all of these tangible costs are the intangibles such as reputation damage. I could go on In the Ninth Annual Cost of Cybercrime Study by Accenture, they found that “people-based attacks” were increasing at the fastest rate. It seems to make sense, therefore, that we place a budgetary emphasis on cybersecurity training. But can we demonstrate the need for security awareness for employees? Can we somehow quantify this decision rather than use a gut reaction to determine budget spent on cybersecurity? In other words, is there a return on investment (ROI) equation we can use to calculate the cost/benefit of spending on cybersecurity training in our organization?
What does an ROI equation for cybersecurity training look like?
To create an equation for ROI, you need to look at the variables that equation would contain. In its simplest form, an ROI question is: ROI = Where: R = Return (Benefit) I = Investment (Cost) The problem security professionals have is how to calculate R and I. The ROI equation shown above is simply not detailed enough to cover the complexity of the variables that make up the world of cybersecurity threats and mitigation. Work has been done to attempt to create an ROI equation applicable to cybersecurity projects. In a Forbes article on the subject of a cybersecurity ROI, Michael Coden argues the case for an ROI calculation based on MIT research. The researchers at MIT focus on the components of a “cyber-threat” chain; that is, the steps taken to enact a cybersecurity incident. The framework from the research output is known as STACHT. The ROI equation for cybersecurity spend developed by Coden using the STACHT research is: ROI = Where: Probability of a Compromise (PC) = threats x vulnerabilities Impact of a Compromise (IC) = asset x losses given a compromise Although Coden’s equation is more complex than the general ROI equation, it is much more applicable and works on a per-project basis. If an ROI equation was applied to cybersecurity, globally, in an organization, it would be very complex and likely to miss out key variables. Coden uses a stochastic method of calculating ROI. That is, he weights the variables using a probability factor.
The intangible and tangible impacts of cybersecurity training for IT and IS staff
Our IT and IS staff provide a front line of protection of our corporate assets. Their training is essential in ensuring that relevant and best-fit mechanisms are used. Cybersecurity training, including certification for IT professionals, provides the most up-to-date knowledge available. This empowers the individual to make good decisions. This empowerment is part of a general ROI for cybersecurity training. When you put the ingredients in and turn the handle of any equation, you expect something to come out the other side that can be applied to the situation. Michael Coden’s ROI equation uses probability to weight these less than tangible variables. Fuzzy set theory could also be used, where appropriate, and where probability is difficult to calculate; I briefly discuss this in a later section. Adding intangibles such as post-breach reputation damage is important. Other intangibles include employee development and also, importantly, motivation. These sorts of items are hard to quantify but have a large impact; their weighting in terms of any ROI equation would be high.
Assets and losses
Intangible example 1: Direct financial loss of NOT training
These can be very difficult to quantify, as they can have an impact across the entire organization and beyond. Some costs come in many years after a cyberattack, as class actions are built up. Using a fuzzy set, you could build up a view of what level of impact would be felt if you do not train your staff to prevent data breaches. For example, ensuring cybersecurity training for IT and IS staff can prevent something like someone not patching a server because they don’t know how to do it safely — which results in a breach when an unpatched vulnerability is exploited.
Intangible example 2: Employee motivation and skill
Ensuring your staff are the best they can be at a job is good for both the business and the individual. Giving your employees the skills and knowledge to make the best decision will motivate them. It will also, ultimately, build better teams too. Individuals who feel better prepared for their work will be happier and more confident which reflects in how they deliver. This, alone, is priceless.
Intangible example 3: Reputation damage
Reputation damage is typically very difficult to quantify. There are many elements to this, including, loss of customer trade, share price drops and falls in industry influence that impact partnership value. A fuzzy set could be created to reflect this variable.
Tangible example 1: Compliance not covered — fines?
A number of regulations around data protection, such as PCI-DSS and GDPR, either mandate or strongly suggest that you use security awareness training. If you suffer a breach and have implemented awareness training, you will have a better defense in any court case that ensues. Enter the cost of a fine for not complying with any specific legislation that affects your industry/business.
Tangible example 2: Insurance premiums could increase
Cybersecurity insurance can have lower premiums if you reduce your risk by training employees in security awareness and carry out phishing simulations.
Threats and vulnerabilities
Going back to the human angle of cybersecurity threats, your ROI equation will need to include and analysis of the threats and vulnerabilities the project will deal with. Cybersecurity training involves threats that have a human element, such as phishing and password hygiene.
Cost of the project
The cost of running a cybersecurity awareness training program should include:
The cost of the training package itself Employee time spent on training (as opposed to doing their core job) Administration costs for running the program, e.g., analysis of metrics
The fuzzy sets of cybersecurity: Non-stochastic ROI calculation
Probability is one way to look at the ROI equation. Another is by using fuzzy set theory. The equation of a line that describes the fuzzy set membership function could potentially be used instead of a probability factor. This would allow the extrapolation of a fuzzy (intangible) item to an actual value. Here is an example showing a fuzzy set for age: (Source) Fuzzy sets can be used to further deduce an integer that gives you a “degree of truth,” adding an element of quantification into an otherwise non-quantifiable equation. The example here is simplified, but the basic premise of using fuzzy membership data to achieve a quantifiable output can be applied to certain cybersecurity criteria. For example, a fuzzy set could be created for hard to quantify areas such as loss of reputation. There are a number of calculators online that could be used as a basis for creating an ROI equation based on fuzzy set membership for the intangible variables needed to calculate the value of a cybersecurity training program. This online calculator has potential, and the sample on the site could also be adjusted to apply to intangible cybersecurity costs associated with losses.
The bottom line on cybersecurity training return on investment
While all of the above suggested calculations can be used to work out a definitive for cybersecurity training, the bottom line is this: the average cost of a data breach in 2018 was $3.92 million, according to a 2019 Ponemon study. Compare this to the cost of certification for your staff. Let’s say the average cost of a security certification course for an employee is $500. This course ensures that an employee knows how to securely patch a server. This skill, alone, will help reduce the kind of attacks which have left companies reeling: cyberattacks like WannaCry affected unpatched computers, or malware like PyroMine, which infected computers through the vulnerability EternalRomance. The ROI in these cases is just common-sense math.
Conclusion
An ROI equation with probability weighting goes some way towards outputting a more quantitative result. You can also look at applying fuzzy set analysis to the intangible items that security awareness training can help alleviate. If we can output a demonstrable outcome from cybersecurity training, you are more likely to be understood by your board and those who hold the purse strings in your organization. However, often an ROI equation is just not needed, especially with difficult-to-quantify items such as reputation and employee job satisfaction. A simple “this is the average cost of an attack on a company like ours versus the cost of cybersecurity training” will enlighten even the most uncompromising C-level folks.
Sources
Gartner Says IT Security Spending to Hit $124B in 2019, Dark Reading More than one in 10 firms losing over $10 million due to cyber attacks according to Willis Towers Watson and ESI ThoughtLab, Willis Towers Watson Ninth Annual Cost of Cybercrime Study, Accenture Yes, Virginia, You Can Calculate ROI For Cybersecurity Budgets, Forbes Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks, IAEA Fuzzy arithmetic calculator, Vladimir Abaev 2019 Cost of a Data Breach Report, IBM